Embed Size (px)
Citation preview
1
Request for Qualifications (RFQ) User Acceptance Testing (UAT) &
Performance Testing Audit
And
IS Audit
India Post Payments Bank Limited Date: 11th Oct, 2017
India Post Payments Bank
2
Invitation to Response
India Post Payments Bank Limited invites sealed tender offers to empanel UAT & Information
Systems (IS) Audit bidders in accordance with the scope set out in the tender document. This
tender may be downloaded by the bidders free of cost from the Central Public Procurement
Portal www.eprocure.gov.in
Procurement Summary Sheet
Name Of the Company India Post Payments Bank Limited
RFQ Reference Number IPPB/UAT/01/2017-18
Date of issue of RFQ Date : 11th Oct 2017 Time : 10.30 AM
Last Date for receipt of clarifications Date : 23rd Oct Time : 11 AM
Pre-response meeting Date : 27th Oct Time : 11 AM
Response to Bidder clarifications 30th Oct
Last Date and Time for response submission Date : 07th Nov Time : 11 AM
Date and time of response opening Date : 08th Nov Time : 11.30 AM
Declaration of Results Date : To be notified Time : To be notified
Primary point of contact for RFQ process
related clarifications
Name: Mr. Yogesh Sharma
Designation: Procurement Manager
Email: [email protected]
Contact Number: 26113119 Ext 112,115,110
Place of opening of response India Post Payments Bank, Corporate Office, Malcha Marg Post Office Building, Chanakyapuri, New Delhi – 110021.
Address for Communication India Post Payments Bank, Corporate Office, Malcha Marg Post Office Building, Chanakyapuri, New Delhi – 110021.
1. Response is invited from UAT and IS Audit service providers who can provide these services to the bank
2. The detailed technology landscape details will be shared with the UAT and IS Audit bidders after signing the NDA.
3. Response received by the Bank after the specified last date and time shall not be eligible for consideration and shall be summarily rejected.
4. The Bank reserves the right to change the schedule mentioned above or elsewhere mentioned in the document, which will be communicated by placing the same as corrigendum on the Central Public Procurement Portal (www.eprocure.gov.in) (hereon referred to as “CPP Portal”)
5. The Bank reserves the right to reject any or all responses without assigning any reason.
6. Responses will be opened in the presence of Bidder’s representatives who choose to attend the opening of the tender on the above-specified date, time and place. At the max 2 representatives per Bidder would be allowed to attend the opening of the response. The representatives of the Bidders should be advised to carry a letter of authority from their respective firms to identify their bonafides for attending the opening of the response
7. Terms and conditions, specifications, and various formats and pro forma for submitting the response are described in this RFQ document.
8. Response must be submitted electronically on the CPP portal as described above
3
Contents
Disclaimer ............................................................................................................................ 7
1. Introduction .................................................................................................................. 9
2. Objective of RFQ .......................................................................................................... 9
3. RFQ Process Details .................................................................................................... 9
4. Instructions to Bidders for UAT RFQ ......................................................................... 9
4.1. General Instructions ................................................................................................ 9
4.2. Response Preparation and Submission ................................................................ 10
4.3. Signature .............................................................................................................. 11
4.4. Banks right to terminate the process ..................................................................... 11
4.5. Conflict of Interest ................................................................................................. 12
4.6. One Response per Bidder ..................................................................................... 12
4.7. Period of validity of response ................................................................................ 12
4.8. Deadline for Submission of Responses ................................................................. 12
4.9. Late response, Delayed response ......................................................................... 13
4.10. Confidentiality .................................................................................................... 13
4.11. Clarification of Queries ...................................................................................... 13
4.12. Supplementary information/Corrigendum/Amendment to RFQ .......................... 14
4.13. Amendment of the RFQ ..................................................................................... 14
4.14. Modification/Substitution/Withdrawal of Responses ........................................... 14
4.15. Fraudulent, Corrupt, Coercive & Undesirable & Restrictive Practice .................. 14
4.16. Disqualifications ................................................................................................ 15
4.17. Cancellation of RFQ process ............................................................................. 16
4.18. Applicable law and jurisdiction of court .............................................................. 16
5. RFQ for UAT Bidder ................................................................................................... 16
5.1. Broad Scope of Work for UAT ............................................................................... 16
1. Test strategy development for the specific business application: .......................... 16
2. Test governance setup ......................................................................................... 17
3. UAT and Performance testing audit execution ...................................................... 17
4. Development and execution of defect management process ................................ 17
5. Communication and reporting as per the governance plan ................................... 17
6. Training to IPPB staff to execute UAT independently ............................................ 17
5.2. Eligibility Criteria ................................................................................................... 18
5.3. RFQ Response Evaluation Process ...................................................................... 20
1. Scrutiny of Responses .......................................................................................... 20
2. Clarifications ......................................................................................................... 20
4
3. Declaration of Empanelled Bidders ....................................................................... 20
5.4. Terms & Conditions .............................................................................................. 21
5.5. Annexure .............................................................................................................. 21
1. Cover Letter .......................................................................................................... 21
2. Conformity Letter .................................................................................................. 23
3. Self-Declaration .................................................................................................... 25
4. Power of Attorney for Signing the Response ......................................................... 27
5. Bidder Details ....................................................................................................... 29
6. Query Format ........................................................................................................ 30
7. Declaration on absence of Conflict of Interest ....................................................... 31
6. Instructions to Bidders for IS Audit RFQ ................................................................. 32
6.1. General Instructions .............................................................................................. 32
6.2. Response Preparation and Submission ................................................................ 32
6.3. Signature .............................................................................................................. 34
6.4. Banks right to terminate the process ..................................................................... 34
6.5. Conflict of Interest ................................................................................................. 34
6.6. One Response per Bidder ..................................................................................... 34
6.7. Period of validity of response ................................................................................ 35
6.8. Deadline for Submission of Responses ................................................................. 35
6.9. Late response, Delayed response ......................................................................... 35
6.10. Confidentiality .................................................................................................... 35
6.11. Clarification of Queries ...................................................................................... 35
6.12. Supplementary information/Corrigendum/Amendment to RFQ .......................... 36
6.13. Amendment of the RFQ ..................................................................................... 36
6.14. Modification/Substitution/Withdrawal of Responses ........................................... 36
6.15. Fraudulent, Corrupt, Coercive & Undesirable & Restrictive Practice .................. 37
6.16. Disqualifications ................................................................................................ 37
6.17. Cancellation of RFQ process ............................................................................. 38
6.18. Applicable law and jurisdiction of court .............................................................. 38
7. RFQ for IS Audit Bidder ............................................................................................. 38
7.1. Broad Scope of Work ............................................................................................ 39
1. Locations/office to be covered .............................................................................. 39
2. Areas to be covered .............................................................................................. 40
3. Reporting Requirement ......................................................................................... 42
4. Schedule and frequency of audit activities ............................................................ 42
7.2. Eligibility Criteria ................................................................................................... 43
7.3. RFQ Response Evaluation Process ...................................................................... 45
5
1. Scrutiny of Responses .......................................................................................... 45
2. Clarifications ......................................................................................................... 45
3. Declaration of Empanelled Bidders ....................................................................... 45
7.4. Terms & Conditions .............................................................................................. 46
7.5. Annexure .............................................................................................................. 47
1. Cover Letter .......................................................................................................... 47
2. Conformity Letter .................................................................................................. 49
3. Self-Declaration .................................................................................................... 52
4. Power of Attorney for Signing the Response ......................................................... 54
5. Bidder Details ....................................................................................................... 56
6. Query Format ........................................................................................................ 57
7. Declaration on absence of Conflict of Interest ....................................................... 58
8. Detailed Activities.................................................................................................. 59
8. Empanelment Period ................................................................................................. 66
9. List of Abbreviations ................................................................................................. 66
6
Common terms of reference/definition
Across the document the term
1. “Bank”, “IPPB” refers to India Post Payments Bank
2. “UAT” refers to user acceptance testing, regression testing & Performance testing audit
3. “Bidder” refers to the potential applicants who have downloaded the RFQ from CPP
Portal and intimated the bank with details of their contact person and contact email id
4. “Vendor” refers to bidders who are empaneled by the Bank to provide UAT &
Performance testing audit and/or IS Audit services
5. “Response”, “Proposal”, ”Bid”, “Application”, “Tender” & “Offer” refers to the documents
submitted by the intending Bidder in response to this RFQ
6. System Integrator (SI) is the Technology Bidder/s who is/are responsible for setting up
the technology landscape of IPPB
7. “Partner” means a service provider directly supporting the System Integrator in
implementing the proposed Switch solution. “Partner” also means a CBS OEM
partnering with the System Integrator for the joint implementation of the CBS. Bidder
cannot propose any entity other than CBS OEM for partnering in the CBS
implementation.
8. “Associate” means person who controls, is controlled by, or is under the common
control with the entity. As used in this definition, the expression “control” means, with
respect to a person which is a company or corporation, the ownership, directly or
indirectly, of more than 50% (fifty per cent) of the voting shares of such person, and
with respect to a person which is not a company or corporation, the power to direct the
management and policies of such person by operation of law
7
India Post Payments Bank
Request for Qualifications (RFQ)
Disclaimer
This document has been prepared by the Bank, based on the information available with itself,
and other publicly available documents that the Bank believes to be reliable. The sole objective
of this document (the “Request for Qualification” or the “RFQ”) is not an offer or agreement
and is only an invitation by Bank to the interested parties for submission of their responses to
RFQ. While this document has been prepared in good faith, no representation or warranty,
express or implied, is or will be made, and no responsibility or liability will be accepted by the
Bank or any of their employees, advisors or agents as to or in relation to the accuracy or
completeness of this document and any liability thereof is hereby expressly disclaimed.
Interested Bidder may carry out their own study / analysis / investigation as required before
submitting their responses.
Information provided in this RFQ to the Bidders is on a wide range of matters, some of which
depends upon interpretation of law. The information in this document is not an exhaustive
account of statutory requirements, and should not be regarded as a complete or authoritative
statement of law. The authority accepts no responsibility for the accuracy or otherwise for any
interpretation or opinion on the law expressed herein.
The Bank, its employees, advisors and agents make no representation or warranty and shall
have no liability to any person, including any Bidder under any law, statute, rules or regulations
or tort, principles of restitution or unjust enrichment or otherwise for any loss, damages, cost
or expense which may arise from or be incurred or suffered on account of anything contained
in this RFQ or otherwise, including the accuracy, adequacy, correctness, completeness
and any assessment, assumption, statement or information contained therein or deemed to
form part of this RFQ or arising in any way for participation in this Stage.
The Bank also accepts no liability of any nature whether resulting from negligence or otherwise
howsoever caused arising from reliance of any Bidder upon the statements contained in this
RFQ. The Bank may in its absolute discretion, but without being under any obligation to do so,
update, amend or supplement the information, assessment or assumptions contained in this
RFQ.
This document does not constitute an offer or invitation, or solicitation of an offer, nor does
this document or anything contained herein, shall form a basis of any binding contract or
commitment whatsoever on the Bank.
The activities listed that are to be performed by the Bank, are indicative only. Bank has the
right to continue with these activities, modify the sequence of activities, add new activities or
remove some of the activities, as dictated by the best interests of Bank.
The issue of this RFQ does not imply that Bank is bound to select a Bidder. The Bank reserves
the right to reject all or any of the responses to the RFQ without assigning any reasons
whatsoever.
The Bidder shall bear all its costs associated with or relating to the preparation and submission
of its responses to the RFQ including but not limited to preparation, copying, postage, delivery
fees, expenses associated with any demonstrations or presentations which may be required
by Bank or any other costs incurred in connection with or relating to its responses to the RFQ.
All such costs and expenses will remain with the Bidder and Bank shall not be liable in any
8
manner whatsoever for the same or for any other costs or other expenses incurred by the
Bidder in preparation or submission of the responses to the RFQ , regardless of the conduct
or outcome of the selection process.
9
1. Introduction
India Post Payments Bank Limited (“IPPB”) is a company incorporated and registered under
Companies Act, 2013 and a payments banking company registered under section 22 (1) of
the Banking Regulation Act, 1949 duly licensed by RBI. IPPB is engaged in conducting
banking and payments business providing services to retail and corporate customers. IPPB
has its Registered Office at Speed Post Center, Bhai Veer Singh Marge, New Delhi – 110 001
and the corporate office at Malcha Marg Post Office Building, Chanakyapuri, New Delhi – 110
021. IPPB is currently operating its business through its branches at Raipur and Ranchi. Over
a period of time, the bank intends to establish its presence on a pan-India basis by 1.55 lakh
access points.
2. Objective of RFQ The bank is looking to empanel bidders to provide UAT & Performance testing audit and IS
Audit services. Through this RFQ, IPPB intends to shortlist and empanel eligible bidders with
whom detailed scope of work will be shared later for various UAT & Performance testing audit
and IS Audit requirements of IPPB. The process of awarding the projects will be shared only
with the empaneled bidders.
3. RFQ Process Details
This section highlights the high level process for bidders to respond to this document.
1. The bidders need to respond separately to the two RFQs as detailed in the respective sections.
2. Section 4 “Instructions to Bidders for UAT RFQ” and Section 5 RFQ for UAT provides instructions to bidders and scope of work for UAT & Performance testing audit
3. Section 6 “Instructions to Bidders for IS Audit RFQ” and Section 7 RFQ for IS Audit provides instructions to bidders and scope of work for IS Audit
4. Bidders can either respond to any one or both the RFQ’s.
5. Instructions to bidders, broad scope of work and bidder eligibility criteria are noted in subsequent sections.
4. Instructions to Bidders for UAT RFQ
4.1. General Instructions
1. The bidder shall download the RFQ from CPP Portal and intimate the bank with contact
person and contact email id hereafter called registered bidder
2. Bidder shall attend pre-response meeting and send queries (if any) on the RFQ
3. Answers to queries, clarifications and changes in the RFQ document (if any), shall be
communicated through CPP Portal
4. Bidder shall submit response completed in all respects by the due date and time given in
this document
5. Bank will make all the earnest efforts to adhere to the timelines. The dates mentioned
are tentative and may be altered by the Bank
10
4.2. Response Preparation and Submission
1. The bank will not accept delivery of response in any manner other than that specified in this document. Response delivered in other manner shall be treated as defective, invalid and rejected.
2. The response shall contain no interlineations or overwriting, except as necessary to correct errors made by the Bidder themselves. The person who signed the response must initial such corrections. Submission letters for the RFQ response should respectively be as per the format prescribed in this document.
3. The authorized signatories of the Bidder should initial on all pages of the response (both hard & soft copy) including annexures and documentary proofs. The authorization shall be in the form of a written Power of Attorney (refer Annexure 4: Power of Attorney) accompanying the response or in any other form to the satisfaction of the Bank demonstrating that the signatory has been dully authorized to sign.
4. This RFQ has been published on Central Public Procurement Portal (www.eprocure.gov.in). The bidders are required to submit soft copies of their response electronically on the CPP Portal using valid Digital Signature Certificates. More information useful for submitting online responses on the CPP Portal may be obtained at https://eprocure.gov.in/eprocure/app.
5. Bidders are required to enroll on the e-procurement module of the CPP Portal (URL: https://eprocure.gov.in/eprocure/app) by clicking on the link “Online Bidder Enrolment”. Enrolment on the CPP Portal is free of charge.
6. As part of the enrolment process, the bidders will be required to choose a unique username and assign a password for their accounts.
7. Bidders are advised to register their valid email address and mobile numbers as part of the registration process. These would be used for any communication from the CPP Portal.
8. Upon enrolment, the bidders will be required to register their valid Digital Signature Certificate (Class II or Class III Certificates with signing key usage) issued by any Certifying Authority recognized by CCA India, with their profile. Only one valid DSC should be registered by a Bidder. Please note that the bidders are responsible to ensure that they do not lend their DSCs to others which may lead to misuse.
9. Bidders will then log in to the site through the secured log-in by entering their user ID/password and the password of the DSC/e-Token
10. The Bidder shall submit their responses in the standard formats prescribed in this RFQ at www.eprocure.gov.in. The bidders should upload the scanned copies of all relevant certificates, documents etc. on www.eprocure.gov.in in support of their response. The Bidder should sign on all statements, documents etc. uploaded by them owning responsibility for their authenticity. Responses must be submitted online by the last date and time indicated in the “Invitation to Response”.
11. All the pages of the response should be sequentially numbered and must contain the list of contents with page numbers. Any deficiency in the documentation may result in the rejection of the response
12. There should be a Table of Contents in the soft copy response
13. The response prepared by the bidder should be prepared in English language in PDF format.
11
14. Submission will be valid only if copies of the response documents are submitted as per the defined clauses in the document and before the mentioned submission closing date and time.
15. Only one submission of response by each Bidder will be permitted.
16. RFQ response should contain at least the below mentioned details/documents:
I. Company profile
II. High level approach and methodology for UAT and Performance testing audit
III. Annexure 1 - Cover Letter
IV. Annexure 2 - Conformity Letter
V. Annexure 3 - Self-Declaration
VI. Annexure 4 - Power of Attorney for signing the Response
VII. Annexure 5 – Bidder Details
VIII. Annexure 7 – Declaration on absence of Conflict of Interest
IX. Certificate from the Bidder’s Statutory Auditor or Chartered Accountant confirming the
Bidder is in the business of UAT and Performance testing audit for at least three years
as on 31st March 2017 in India.
X. A copy of the PAN card of the Bidder
XI. A copy of GST registration of the Bidder
XII. Certificate of incorporation of the Bidder
XIII. Copies of audited financial statement (the profit and loss statement or the balance
sheet showing the annual turnover) for (FY 2014-15, 2015-16, 2016 -17)
XIV. A list of the Board of Directors of the Bidder as of the date of submission of the
response. This list must be certified by the company secretary of the Bidder
XV. Copy of purchase order or a letter from the Bank signed by the competent authority on
the letter head.
Hard Copy
I. Annexure 4 – Power of Attorney for signing the Response
4.3. Signature
• The covering letters must be signed with the bidders name and by an Authorized Signatory of the Bidder, who is authorized to commit the Bidder to contractual obligations. All obligations committed by such signatories are liable to be fulfilled by the Bidder who would be empaneled as per the terms of the RFQ.
• All the commitments, obligations, responses (all the pages) against this RFQ must be signed by the signatory of the Bidder
4.4. Banks right to terminate the process
• Bank makes no commitments, explicit or implicit, that this process will result in a business transaction with anyone
12
• This RFQ does not constitute an offer by Bank. The Bidders’ participation in this process may result in Bank empanelling the Bidders to engage in further discussions and selection. The commencement of such discussions does not, however, signify a commitment by Bank to execute a contract
• The Bank, at any point, may terminate this RFQ process, at its sole discretion, without any obligation to provide any information on the grounds for such termination to the Bidder.
4.5. Conflict of Interest
• Bidder shall furnish an affirmative statement Annexure 7: Declaration on absence of Conflict of interest to the existence of, or absence of, or potential for conflict of interest on the part of the Bidder or any prospective Partner due to prior, current, or proposed contracts, engagements, or affiliations with any entity which may be perceived as a conflict of interest for the Bidder to provide products/ services to the Bank. Such entities may include, but are not limited to, competitors of the Bank such as other payments banks. Additionally, such disclosure shall address any and all potential elements (time frame for service delivery, resource, financial or other) that would adversely impact the ability of the Bidder to complete the requirements as given in the RFQ
4.6. One Response per Bidder
• No Bidder shall submit more than one response against this RFQ
• The Bidder cannot be a partner with any other Bidder
4.7. Period of validity of response
• Responses submitted for the RFQ shall remain valid for 180 days from the last date
(deadline) for submission of response. A response with lesser validity period will be
treated as non-responsive
• In exceptional circumstances, the Bank may solicit the bidders’ consent for extension
of the period of validity. The request and the responses thereto shall be made in
writing
4.8. Deadline for Submission of Responses
• Response complete in all respects should be shared as described in Response Preparation and Submission not later than the date and time mentioned in Invitation of Response section. In the event of the specified date for the submission of response being declared a holiday the response will be received up to the appointed time on the next working day
• In case Bank extends the deadline for submission of responses due to any reason, all rights and obligations of Bank and Bidders that were subject to the previous deadline will thereafter be subject to the extended deadline
13
4.9. Late response, Delayed response Late responses (i.e. responses received after the specified time of opening), Delayed response (i.e. response received before the time of opening but after the due date and time for receipt of response) shall not be considered by Bank.
4.10. Confidentiality The information given in this document is confidential and is for use by the Bidder to whom
it has been issued. Each party, i.e. the Bank and the Bidder, shall treat the other party’s
information as confidential and will take necessary steps to prevent the disclosure of the
other’s confidential information to third parties. Both the parties will keep the contents of
the response confidential.
4.11. Clarification of Queries
• Bidder requiring any clarification on this RFQ may notify the bank in writing by e-mail
at the email address & by the date provided in the Invitation to Response section of
this document. Bidder shall send the queries only in the prescribed format specified in
Annexure 6 - Query Format mentioned in the document.
• No requests for clarification will be accepted via telephone. Bank shall respond over
email or in writing and post online any request for clarification of the RFQ document
that it receives until the date mentioned in section Invitation to Response of this
document. Any questions submitted post the last date to receipt the queries shall not
be considered by bank. In no event will bank be responsible for ensuring that Bidder’s
inquiries have been received by bank.
• It is to be noted that the Bank will respond to the clarification requests of only registered
bidders
• Bank may conduct a pre-response meeting to clarify any queries that the bidders might
have regarding the RFQ as per the date and time mentioned in ‘Invitation to Response’
section. The venue of the pre-response meeting will be intimated to all registered
bidders through e-mail.
• Each Bidder should not depute more than 2 representatives for the pre-response
meeting. Bidder representatives should carry their company identification card on the
pre-response conference day. Thereafter, email / written copies of Bank response shall
be sent to all primary contacts of the registered Bidders.
• If a Bidder discovers any significant ambiguity, error, conflict, discrepancy, omission,
or other deficiency in this RFQ, the Bidder should immediately notify Bank of such error
and request modification or clarification of the RFQ document, which modification
/clarification shall be at the sole discretion of Bank
• Bank will not be responsible for any queries which any of the Bidders claim to have
sent and which did not reach the designated email ids of Bank.
• Bank is not responsible to make any representation to the completeness or accuracy
of the responses, nor does it undertake to answer all the queries that have been posed
by the Bidders.
14
• While addressing pre-response queries please mention the name of RFQ along with
the name of organisation in the format “Pre-response Query_RFQ_<Organisation
name>”
4.12. Supplementary information/Corrigendum/Amendment to RFQ If the Bank deems it appropriate to revise any part of this RFQ or to issue additional data to clarify an interpretation of the provisions of this RFQ, it may issue supplements to this RFQ. Such supplemental information will be communicated to the primary contacts (as mentioned in the Introduction Section) of all the Bidders registered with the Bank by e-mail or other suitable method as determined by the Bank. Any such supplement shall be deemed to be an integral part of this RFQ.
4.13. Amendment of the RFQ
• At any time prior to the last date of submission of response, Bank may, for any reason, whether at its own initiative or in response to a clarification requested by a prospective Bidder, modify the RFQ document by an amendment.
• The primary contacts as mentioned in (Tender document for UAT & Performance testing audit and IS Audit for India Post Payments Bank Limited) of all the Bidders registered with the Bank will be notified of the amendment in writing or by fax or by email or by publishing on the CPP Portal and such amendment will be binding on all the Bidders.
• In order to provide the Bidders, reasonable time in which to take the amendment into account in preparing their response, Bank may at its sole discretion extend the last date of submission of response.
4.14. Modification/Substitution/Withdrawal of Responses
The Bidder may modify, substitute or withdraw its responses at any time before its
acceptance, provided that written notice of the modification, substitution or withdrawal is
received by the Bank prior to the response due date. No response shall be modified,
substituted or withdrawn by the bidder on or after the response due date.
Any alteration/ modification in the response or additional information supplied subsequent to
the response due date, unless the same has been expressly sought for by the Bank, shall be
disregarded.
4.15. Fraudulent, Corrupt, Coercive & Undesirable & Restrictive Practice
Bank will reject a response for empanelment if it determines that the Bidder recommended for
empanelment has engaged in corrupt, fraudulent or coercive practices in competing for, or in
executing, the project(s)
“Fraudulent practice any omission or misrepresentation that may mislead or attempt to
mislead so that financial or other benefits may be obtained or an obligation avoided. This
includes making false declaration or providing false information for participation in the RFQ
process
15
“Corrupt Practice” making offers, solicitation or acceptance of bribe, rewards or gifts or any
material benefit, in exchange for an unfair advantage in the procurement process or to
otherwise influence the procurement process
“Coercive Practice” means harming or threatening to harm, directly or indirectly, persons or
their property to influence their participation in a procurement process, or affect the execution
of a contract
“Undesirable practice” means
a) establishing contact with any person connected with or employed or engaged by the
Bank with the objective of canvassing, lobbying or in any manner influencing or
attempting to influence the Empanelment Process; or
b) Having a Conflict of Interest;
“Restrictive practice” means forming a cartel or arriving at any understanding or arrangement
among bidders with the objective of restricting or manipulating a full and fair competition in the
empanelment process.
4.16. Disqualifications
Apart from the reason of non-compliance with the minimum eligibility criteria conditions
mentioned in section 5.2, the Bank, may at its own sole discretion, at any time during the RFQ
process, disqualify any Bidder from the RFQ process, if:
1. The response to the RFQ was submitted after the deadline.
2. Bidder has made / attempted to make misleading or false representations in the forms,
statements and attachments submitted in proof of the eligibility requirements.
3. If it does not comply with the requirements and scope of this RFQ
4. If a response does not follow the format requested in this RFQ.
5. Response is not accompanied by required documentation.
6. Bidder fails to provide information or documentary evidence or clarifications related
thereto, when sought.
7. The Bank gets to know that the Bidder has withheld or suppressed the information which
would have entitled the Bank to reject or disqualify the Bidder even though the Bidder has
been qualified. The Bank reserves the right to reject the Bidder at any time whenever such
information comes to notice.
8. Bidder is found to canvass, influence or attempt to influence in any manner the qualification
or selection process, including without limitation, by offering bribes or other illegal
gratification.
Since the above set of instances are only illustrative, the Bank at its sole discretion reserves
the right to disqualify any of the bidders for any of the reasons set above or any other without
sharing the details with the Bidder.
16
4.17. Cancellation of RFQ process
Bank reserves the right to accept or reject any response and to cancel the RFQ process and
reject all responses, at any time prior to the empanelment, without thereby incurring any
liability to the affected Bidder or Bidders or any obligation to inform the affected Bidder/s for
the reasons of the Bank’s action. Bank reserves the right to float fresh RFQ and/ or any
procurement approach as deemed fit.
4.18. Applicable law and jurisdiction of court
Any dispute with the Bidder shall be governed in accordance with the Laws of India for the
time being in force and will be subject to the exclusive jurisdiction of Courts at Delhi (with the
exclusion of all other Courts).
5. RFQ for UAT Bidder
IPPB is looking to avail the services of a UAT service providers to provide professional
services to execute UAT functions of all the specified business applications of the payments
bank. Through this RFQ, IPPB intends to shortlist and empanel eligible vendors for UAT as
per the criteria defined in the following sections.
5.1. Broad Scope of Work for UAT
The broad level scope of work will include – UAT of the specific business application which
includes setting-up, training and execution of various UAT/Regression/Performance testing
audit cases and documenting its outcome and recommendations for improvement. The key
activities will include but not be limited to the details present in the following sections.
IPPB reserves the rights to change the scope of work considering the size and variety of
requirements and the changing business & security conditions/environment. The selected
Bidder should bring all required application software testing tools including the frameworks
and testing work stations, which will be used for the purposes of UAT.
1. Test strategy development for the specific business application:
Vendor is expected to create separate test strategy document for UAT. Each test strategy
document will contain at least the below mentioned points. This list is indicative and vendor
can enhance it further based upon the experience and strategy proposed for the bank.
a) Discussion with bank to finalize in-scope and out of scope components
b) Define methodology and approach for UAT
c) Define roles and responsibilities of the UAT vendor.
d) Define risk, dependencies, assumptions and constraints
e) Define test plan and traceability matrix
f) Define test scenario/cases pass and fail criteria
g) Define test approach readiness, entry & exit, suspension and resumption criteria
h) Define and develop test scenario and cases
i) Define number of iterations of test cycle
17
j) Design load test models for Performance testing audit
k) Define expectations from the Bank to establish test environment
l) Define SLAs, escalation matrix, reporting frequency and mechanism
2. Test governance setup
a) Regular involvement in the discussions scheduled by the bank to check the status of
UAT and Performance testing audit
b) Adherence to the timelines agreed between Bank and UAT vendor
3. UAT and Performance testing audit execution
a) Definition and execution of UAT test scenarios/cases for each business application
and its interfaces and record the outcomes (along with screen shots) with required
recommendations.
b) Perform regression testing of the applications/requirements under test to ensure
existing functionality is not broken
c) Perform audit of performance tests that include baseline, load, volume, stress,
endurance and network testing on core banking application and other business
application with a focus on identifying hardware / software / database /
application/network related bottlenecks
4. Development and execution of defect management process
The coordination protocol will be defined between the on boarded SI and UAT vendor by the
bank. It would be a joint responsibility of SI and UAT vendor to ensure timely completion of
User Acceptance Testing as per the scope of work defined. SLAs and penalties will be defined
post discussion with SI and UAT vendor by the bank.
a) Bidder should develop & execute an industry wide accepted defect management
process for an efficient and successful execution of the UAT
b) Document & report the gaps, errors and defects observed during testing. Maintain a
track of errors, defects and change request(s) and their resolution. Explain the defects,
errors and gaps to the bank and on boarded System Integrator.
c) Process to track the defect till the closure. Ensure re-testing of the gaps, errors and
defects after rectification.
5. Communication and reporting as per the governance plan
a) Vendor should schedule periodic meetings with the bank and submit periodic/ad-
hoc reports suitable for all iterations of UAT and Performance testing audit to the
bank for tracking the progress and evaluation of the project
6. Training to IPPB staff to execute UAT independently
18
a) Vendor should provide training to IPPB team members on using testing
workstations and other testing tools.
b) Vendor should also provide training to IPPB staff on creation and execution of test
cases/scenarios
5.2. Eligibility Criteria
To become eligible to respond to this section of RFQ, Bidder should-
• Fulfil at its minimum all the below mentioned criteria in Table 1
• Achieve a total score of 7 or above based on criteria mentioned in Table 2
• Score 1 or above in each of the criteria mentioned in Table 2.
Table 1: Minimum Eligibility Criteria
# Eligibility Criteria Documents to be submitted
1 Bidder should have minimum turnover
of INR 2 CR in each of the financial
years (FY 2014-15, 2015-16, 2016 -
17). The same must be clearly
indicated in the Profit – Loss
account/Balance Sheet1.
1. Certificate of incorporation of the
Bidder
2. Copies of audited financial
statement (the profit and loss
statement or the balance sheet
showing the annual turnover) for
(FY 2014-15, 2015-16, 2016 -17)
2 Bidder should not have been black
listed by the Central or any of the State
Governments in India or any public
sector Institution in India.
1. Self-declaration from the Bidder
3 Bidder should not be the Systems
Integrator for IPPB, nor should it be an
Associate or Partner of the Systems
Integrator.
1. Self-declaration from the Bidder
4 The Board of Directors of the Bidder
should not have anyone who has been
debarred by the RBI for any reason.
1. Self-declaration from the Bidder
2. Submit a list of the Board of
Directors of the Bidder as of the
date of submission of the response.
This list must be certified by the
company secretary of the Bidder
(signed and sealed).
1 For conversion of other currencies into Indian Rupees, the same shall be converted as on the date 60 (sixty)
days prior to the last date of submission of the response. The conversion rate of such currencies shall be the
daily representative exchange rates published by the International Monetary Fund for the relevant date
19
Table 2: Eligibility and Scoring Criteria -
# Eligibility Criteria Documents to be
submitted Score
1 Bidder should have
successfully
executed/completed the user
acceptance testing (UAT) of the
core banking system along with
other banking applications for at
least one Indian scheduled
commercial bank with at-least
1000 branches
The provided reference should
be operational (i.e. live in
production environment) at the
date of submission of the
response to this RFQ
1.Self-declaration
from the Bidder
2.Copy of purchase
order or a letter
from the Bank
signed by the
competent authority
on the letter head
No of scheduled commercial banks
Score
>= 1 and < 3
1
>= 3 and < 5
2
>= 5 2.5
2 Bidder should have
successfully executed/
completed the Performance
testing audit of CBS and other
banking applications of at least
one scheduled commercial
bank with at least 1000
branches over the last three
years i.e. the current financial
year and the last three financial
years
The provided reference should be operational (i.e. live in production environment) at the date of submission of the response to this RFQ
1. Self-declaration
from the Bidder
2. Copy of purchase
order or a letter
from the Bank
signed by the
competent authority
on the letter head.
No of Branches
Score
>= 1000 and < 1500
1
>= 1500 and < 2000
2
>= 2000 2.5
3 Bidder must have a dedicated
testing team (permanent
employees on the Bidder’s
payroll or contractors) of a
minimum of 100 personnel
across India.
Self-declaration from the Bidder
No of Employees
Score
>= 100 and < 200
1
>= 200 and < 400
2
>= 400 2.5
20
# Eligibility Criteria Documents to be
submitted Score
4 Bidder must be in business of UAT and Performance testing audit for at least 3 years in India. The Bidder must be a dedicated software-testing firm or a firm having a dedicated business line /practice for testing that includes UAT and Performance testing audit.
1. Certificate from
the Bidder’s
Statutory Auditor
or Chartered
Accountant
confirming the
Bidder is in the
business of UAT
and Performance
testing audit for
at least three
years as on 31st
March 2017 in
India
2. A copy of the
PAN card
3. A copy of GST
registration
number
Years active as of 31-3-2017
Score
>=3 and < 4
1
>= 4 and < 5
2
>= 5 2.5
5.3. RFQ Response Evaluation Process
1. Scrutiny of Responses
The Bank will scrutinize the responses received to determine whether they are complete and
per the RFQ requirement, and also whether evidentiary documentation as asked for and is
required to evaluate the responses has been submitted, whether the documents have been
properly signed and information is provided as per the requirements etc.
The Bank may, at its discretion, waive any minor non-conformities or any minor irregularity in
the response. This shall be binding on all bidders and the Bank reserves the right for such
waivers.
2. Clarifications
1. Bank may seek clarifications from the Bidders on the content of their responses.
2. All correspondence for the clarifications will be sent to the authorized signatory of the
Bidder.
3. The Bidders are expected to provide the clarifications within the time frame to be specified
by the Bank
4. If the Bidders fail to provide any clarifications against such requests, Bank will make
appropriate assumptions on those points and proceed with the evaluation
3. Declaration of Empanelled Bidders
Post evaluating the responses, Bank will publish the list of bidders on CPP Portal, who fulfils
the minimum set of requirements mentioned in this RFQ. These bidders will be empaneled by
the Bank for UAT execution and performance testing audit.
21
5.4. Terms & Conditions The terms and conditions will be shared along with the detailed scope with the empanelled
vendors
5.5. Annexure
1. Cover Letter
(To be submitted on company letterhead)
Date:
To,
Manager Procurement
India Post Payments Bank
Malcha Marg Post Office Building
Chanakya Puri, New Delhi - 110021
Dear Sir,
1.Having examined the scope documents including all Annexures, the receipt of which is
hereby duly acknowledged, we, the undersigned offer to supply, deliver, install and maintain
all the items mentioned in the ‘Request for Quotation’ and the other schedules of requirements
and services for your bank in conformity with the said scope documents.
2.If our response is accepted, we undertake to abide by all terms and conditions of this Scope
and also to comply with the delivery schedule as mentioned in the scope document.
3.We agree to abide by this scope offer for 180 days from date of response opening and our
response shall remain binding on us and may be accepted by the bank any time before expiry
of the offer.
4.This response, together with your written acceptance thereof and your notification of award,
shall constitute a binding Contract between us.
5.We undertake that in competing for and if the award is made to us, in executing the subject
Contract, we will strictly observe the laws against fraud and corruption in force in India namely
‘Prevention of Corruption Act, 1988’.
6.We certify that we have provided all the information requested by the bank in the format
requested for. We also understand that the bank has the exclusive right to reject this offer in
case the bank is of the opinion that the required information is not provided or is provided in a
different format.
22
Date:
Time:
Seal:
Authorized Signatory
(Name: Designation Contact Person, Business address Phone No., Fax, E-mail)
23
2. Conformity Letter
(To be submitted on company letterhead) <Location, Date>
To,
Manager Procurement,
India Post Payments Bank
Malcha Marg Post Office Building,
Chanakya Puri, New Delhi - 110021
Sir,
Subject: - Response to RFQ for empanelment of UAT Bidder
Dear Sir/Madam,
Further to our response dated DD.MM.YYYY, to the RFQ document (hereafter referred to as
“RFQ DOCUMENT”) issued by India Post Payments Bank (“Bank”) we hereby warrant and
confirm that:
1. We confirm that the information contained in this response or any part thereof,
including its exhibits, and other documents and instruments delivered or to be delivered
to the bank is true, accurate, verifiable and complete. This response includes all
information necessary to ensure that the statements therein do not in whole or in part
mislead the department in its short-listing process.
2. We have the technical, financial and management capabilities to support the
requirements, and have a successful performance history.
3. We fully understand and agree to comply that on verification, if any of the information
provided here is found to be misleading the short listing process, we are liable to be
dismissed from the selection process or termination of the contract during the project,
if selected to do so.
4. We agree that you are not bound to accept any tender response you receive. We also
agree that you reserve the right in absolute sense to reject all or any of the products /
services specified in the tender response.
5. We hereby declare that our response is made in good faith, without collusion or fraud
and the information contained in the response is true and correct to the best of our
knowledge and belief. We understand that our response is binding on us and that you
are not bound to accept a response you receive. We declare that our offers of
products, licenses and services are duly and properly authorized and that we will only
use products, items, or IP which is either our own or we have been authorized to sell
24
or transfer. We further declare that that the proposed systems have their origin in
eligible countries.
6. We do hereby undertake that to the best of our knowledge there is absence of actual
or potential conflict of interest on our part or any prospective Partner due to prior,
current, or proposed contracts, engagements, or affiliations with the Bank.
7. We also confirm that to the best of our knowledge there are no potential elements (time
frame for service delivery, resource, financial or other) that would adversely impact the
ability of the Bidder to complete requirements given in the RFQ.
8. We undertake and agree to indemnify and hold Bank harmless against all claims,
losses, damages, costs, expenses, proceeding fees of legal advisors (on a
reimbursement basis) and fees of other professionals incurred (in case of legal fees
and fees of professionals, reasonably) by Bank and/or its representatives, if any such
conflict arises later.
9. It is hereby confirmed that we are entitled to act on behalf of our company / corporation
/ firm / organization and empowered to sign this document as well as such other
documents, which may be required in this connection.
10. We hereby agree to comply with all the terms and conditions / stipulations as contained
in the RFQ document and the related addendum and other documents including the
changes made to the original RFQ documents issued by the bank.
11. The Bank is not bound by any other extraneous matters or deviations, even if
mentioned by us elsewhere either in our response or any subsequent deviations
sought by us, whether orally or in writing, and the bank’s decision not to accept any
such extraneous conditions and deviations will be final and binding on us.
Yours faithfully
Authorized Signatory
Designation
Bidder’s corporate name
25
3. Self-Declaration
(To be submitted on company’s letterhead)
Date:
Place:
To,
Manager Procurement
India Post Payments Bank
Malcha Marg Post Office Building,
Chanakya Puri, New Delhi – 110021 Ref: RFQ Notification no<xxxx>dated<dd/mm/yy>
Dear Sir,
I on behalf of _______________________ (Bidder’s name) declare the following:
1. We are in the business of conducting UAT and Performance testing audit in
India
2. We have not been barred from providing the Services nor are we in negative
list/blacklisted in any manner whatsoever by any of the State/UT and/or central
government in India between 01-Jan-2013 till 31-Mar-2017 on any ground
including but not limited to indulgence in corrupt practice, fraudulent practice,
coercive practice, undesirable practice or restrictive practice
3. We declare that we have a dedicated testing team (permanent employees or
contractors on the our payroll) of a minimum of 100 personnel across India to
handle the scope of work mentioned in this RFQ
4. The systems/services offered to India Post Payments Bank Limited are
compliant and do not violate any Intellectual Property Rights.
5. We have performed (UAT) of the core banking system and other business
applications of at least one Indian scheduled commercial bank <Client Name>
with at least 1000 branches. The reference provided is currently operational is
production environment.
6. We have performed Performance testing audit of the core banking system
along with other business applications of at least one Indian scheduled
commercial bank <Client Name> with at least 1000 branches. The reference
provided is currently operational is production environment.
7. We are not the Systems Integrator for IPPB, nor an associate or partner of the
Systems Integrator.
8. None of our Board of Directors have has been debarred by the RBI
26
Place:
Date:
Bidder’s Company Seal:
Authorized Signatory’s Signature:
Authorized Signatory’s Name and Designation:
27
4. Power of Attorney for Signing the Response
(To be submitted on a INR 100 Stamp Paper only)
Know all men by these presents, we…………………………………………….. (name of the firm
and address of the registered office) do hereby irrevocably constitute, nominate, appoint and
authorize Mr/ Ms (name), …………………… son/daughter/wife of ………………………………
and presently residing at …………………., who is presently employed with us (the “Bidder”)
and holding the position of ……………………………. , as our true and lawful attorney
(hereinafter referred to as the “Attorney”) to do in our name and on our behalf, all such acts,
deeds and things as are necessary or required in connection with or incidental to submission
of our application for pre-qualification and submission of our response for the ***** Project
proposed or being developed by the ***** (the “Authority”) including but not limited to signing
and submission of all applications and other documents and writings, participate in pre-
applications and other conferences and providing information/ responses to the Authority,
representing us in all matters before the Authority, signing and execution of all contracts and
undertakings consequent to acceptance of our response, and generally dealing with the
Authority in all matters in connection with or relating to or arising out of our response for the
said Project and/ or upon award thereof to us and/or till the entering into of the agreement with
the Authority.
AND we hereby agree to ratify and confirm and do hereby ratify and confirm all acts, deeds
and things done or caused to be done by our said Attorney pursuant to and in exercise of the
powers conferred by this Power of Attorney and that all acts, deeds and things done by our
said Attorney in exercise of the powers hereby conferred shall and shall always be deemed to
have been done by us.
IN WITNESS WHEREOF WE,…………………………., THE ABOVE NAMED PRINCIPAL
HAVE EXECUTED THIS POWER OF ATTORNEY ON THIS ……… DAY OF …………. 2…..
For
Authorized Signature:
Authorized Signatory Name:
Title of Signatory:
Witnesses:
1.
2.
28
Accepted
Attorney’s Signature:
Attorney’s Name:
Attorney’s Title:
Address:
Notes:
1.The mode of execution of the Power of Attorney should be in accordance with the procedure,
if any, laid down by the applicable law and the charter documents of the executant(s) and
when it is so required, the same should be under common seal affixed in accordance with the
required procedure
2.Wherever required, the applicant should submit for verification the extract of the charter
documents and documents such as a board or shareholders’ resolution/ power of attorney in
favor of the person executing this Power of Attorney for the delegation of power hereunder on
behalf of the applicant
3.For a Power of Attorney executed and issued overseas, the document will also have to be
legalized by the Indian Embassy and notarized in the jurisdiction where the Power of Attorney
is being issued.
4.However, the Power of Attorney provided by Applicants from countries that have signed the
Hague Legislation Convention 1961 are not required to be legalized by the Indian Embassy if
it carries a conforming apostille certificate.
29
5. Bidder Details Details given in this form must be accompanied by documentary evidence to facilitate
verification. Documents given with the Eligibility Criteria need not be given again. All relevant
details are to be given separately for the bidder
General Details
S. No. Details
1. Name of Company
2. Postal Address
3. Telephone, Fax Number, Email Address
4. Nature of activity
5. Details of ownership
6. Holding company or parent company
7. Name and designation of the person commitments to the bank
authorized To make
8. Website address
9. GST Number
10. Income Tax PAN
11. No. of Personnel who are employed for UAT & Performance testing audit services
12. Brief description of facilities for undertaking the services, along with location
Financial Services
1. Annual Turnover (2014-15)
2. Annual Turnover (2015-16)
3. Annual Turnover (2016-17)
30
6. Query Format
Sr.
No.
Query Reference number
Page
#
Point /
Section #
Content of RFQ
requiring
clarification
Points of Clarification Banks
Response
(Bidder Should not fill in this column)
1
2
3
4
5
6
7
8
9
31
7. Declaration on absence of Conflict of Interest (To be submitted on the Letterhead of the Bidder)
(Place), (Date)
To, Senior Manager (Procurement)
India Post Payments Bank,
Malcha Marg Post Office Building,
Chanakyapuri,
New Delhi – 110 021
India
Subject: Declaration regarding absence of conflict of interest in selection of Contact Centre Service Provider for India Post Payments Bank
Dear Sir / Madam,
We do hereby undertake that there is absence of, actual or potential conflict of interest on the part of the UAT & Performance testing audit provider or any prospective partner due to prior, current, or proposed contracts, engagements, or affiliations with Bank.
We also confirm that there are no potential elements (time frame for service delivery, resource, financial or other) that would adversely impact the ability of the UAT & Performance testing audit service provider to complete requirements given in the RFQ.
We undertake and agree to indemnify and hold Bank harmless against all claims, losses, damages, costs, expenses, proceeding fees of legal advisors (on a reimbursement basis) and fees of other professionals incurred by Bank and/or its representatives, if any such conflict arises later.
Dated this __________ day of ___________ 2017.
Yours sincerely, On behalf of [Bidder’s Name]: Authorized Signatory Name: Title of Signatory: Name of Firm: Address:
Seal / Stamp of Bidder:
32
6. Instructions to Bidders for IS Audit RFQ
6.1. General Instructions
1. The bidder shall download the RFQ from CPP Portal and intimate the bank with
contact person and contact email id hereafter called registered bidder
2. Bidder shall attend pre-response meeting and send queries (if any) on the RFQ
3. Answers to queries, clarifications and changes in the RFQ document (if any), shall be
communicated through CPP Portal
4. Bidder shall submit response completed in all respects by the due date and time given
in this document
5. Bank will make all the earnest efforts to adhere to the timelines. The dates mentioned
are tentative and may be altered by the Bank
6.2. Response Preparation and Submission
1. The bank will not accept delivery of response in any manner other than that specified in this document. Response delivered in other manner shall be treated as defective, invalid and rejected.
2. The response shall contain no interlineations or overwriting, except as necessary to correct errors made by the Bidder themselves. The person who signed the response must initial such corrections. Submission letters for the RFQ response should respectively be as per the format prescribed in this document.
3. The authorized signatories of the Bidder should initial on all pages of the response (both hard & soft copy) including annexures and documentary proofs. The authorization shall be in the form of a written Power of Attorney (refer Annexure 4: Power of Attorney) accompanying the response or in any other form to the satisfaction of the Bank demonstrating that the signatory has been dully authorized to sign.
4. This RFQ has been published on Central Public Procurement Portal (www.eprocure.gov.in). The bidders are required to submit soft copies of their response electronically on the CPP Portal using valid Digital Signature Certificates. More information useful for submitting online responses on the CPP Portal may be obtained at https://eprocure.gov.in/eprocure/app.
5. Bidders are required to enroll on the e-procurement module of the CPP Portal (URL: https://eprocure.gov.in/eprocure/app) by clicking on the link “Online Bidder Enrolment”. Enrolment on the CPP Portal is free of charge.
6. As part of the enrolment process, the bidders will be required to choose a unique username and assign a password for their accounts.
7. Bidders are advised to register their valid email address and mobile numbers as part of the registration process. These would be used for any communication from the CPP Portal.
8. Upon enrolment, the bidders will be required to register their valid Digital Signature Certificate (Class II or Class III Certificates with signing key usage) issued by any Certifying Authority recognized by CCA India, with their profile. Only one valid DSC should be registered by a Bidder. Please note that the bidders are responsible to ensure that they do not lend their DSCs to others which may lead to misuse.
33
9. Bidders will then log in to the site through the secured log-in by entering their user ID/password and the password of the DSC/e-Token
10. The Bidder shall submit their responses in the standard formats prescribed in this RFQ at www.eprocure.gov.in. The bidders should upload the scanned copies of all relevant certificates, documents etc. on www.eprocure.gov.in in support of their response. The Bidder should sign on all statements, documents etc. uploaded by them owning responsibility for their authenticity. Responses must be submitted online by the last date and time indicated in the “Invitation to Response”.
11. All the pages of the response should be sequentially numbered and must contain the list of contents with page numbers. Any deficiency in the documentation may result in the rejection of the response
12. There should be a Table of Contents in the Soft Copy response
13. The response prepared by the bidder should be prepared in English language in PDF format.
14. Submission will be valid only if copies of the response documents are submitted as per the defined clauses in the document and before the mentioned submission closing date and time.
15. Only one submission of response by each Bidder will be permitted.
16. RFQ response should contain at least the below mentioned details/documents:
XVI. Company profile
XVII. High level approach and methodology for conducting IS audit
XVIII. Annexure 1 - Cover Letter
XIX. Annexure 2 - Conformity Letter
XX. Annexure 3 - Self-Declaration
XXI. Annexure 4 - Power of Attorney for signing the Response
XXII. Annexure 5– Bidder Details
XXIII. Annexure 7 – Declaration on absence of Conflict of Interest
XXIV. Certificate from the Bidder’s Statutory Auditor or Chartered Accountant confirming the
Bidder is in the business of IS audit for at least three years as on 31st March 2017 in
India.
XXV. A copy of the PAN card of the Bidder
XXVI. A copy of GST registration of the Bidder
XXVII. Certificate of incorporation of the Bidder
XXVIII. Copies of audited financial statement (the profit and loss statement or the balance
sheet showing the annual turnover) for (FY 2014-15, 2015-16, 2016 -17)
XXIX. A list of the Board of Directors of the Bidder as of the date of submission of the
response. This list must be certified by the company secretary of the Bidder
XXX. Copy of purchase order or a letter from the Bank signed by the competent authority on
the letter head.
34
Hard Copy
I. Annexure 4 – Power of Attorney for signing the Response
6.3. Signature The covering letters must be signed with the bidders name and by an Authorized Signatory of the Bidder, who is authorized to commit the Bidder to contractual obligations. All obligations committed by such signatories are liable to be fulfilled by the Bidder who would be empaneled as per the terms of the RFQ. All the commitments, obligations, responses (all the pages) against this RFQ must be signed by the signatory of the Bidder
6.4. Banks right to terminate the process
• Bank makes no commitments, explicit or implicit, that this process will result in a business transaction with anyone
• This RFQ does not constitute an offer by Bank. The Bidders’ participation in this process may result in Bank empanelling the Bidders to engage in further discussions and selection. The commencement of such discussions does not, however, signify a commitment by Bank to execute a contract
• The Bank, at any point, may terminate this RFQ process, at its sole discretion, without any obligation to provide any information on the grounds for such termination to the Bidder.
6.5. Conflict of Interest
• Bidder shall furnish an affirmative statement Annexure 7: Declaration on absence of Conflict of interest to the existence of, or absence of, or potential for conflict of interest on the part of the Bidder or any prospective Partner due to prior, current, or proposed contracts, engagements, or affiliations with any entity which may be perceived as a conflict of interest for the Bidder to provide products/ services to the Bank. Such entities may include, but are not limited to, competitors of the Bank such as other payments banks. Additionally, such disclosure shall address any and all potential elements (time frame for service delivery, resource, financial or other) that would adversely impact the ability of the Bidder to complete the requirements as given in the RFQ
6.6. One Response per Bidder
• No Bidder shall submit more than one response against this RFQ
• The Bidder cannot be a partner with any other Bidder
35
6.7. Period of validity of response
• Responses submitted for the RFQ shall remain valid for 180 days from the last date
(deadline) for submission of response. A response with lesser validity period will be
treated as non-responsive
• In exceptional circumstances, the Bank may solicit the bidders’ consent for extension
of the period of validity. The request and the responses thereto shall be made in
writing
6.8. Deadline for Submission of Responses
• Response complete in all respects should be shared as described in Response Preparation and Submission not later than the date and time mentioned in Invitation of Response. In the event of the specified date for the submission of response being declared a holiday the response will be received up to the appointed time on the next working day
• In case Bank extends the deadline for submission of responses due to any reason, all rights and obligations of Bank and Bidders that were subject to the previous deadline will thereafter be subject to the extended deadline
6.9. Late response, Delayed response Late responses (i.e. responses received after the specified time of opening), Delayed response (i.e. response received before the time of opening but after the due date and time for receipt of response) shall not be considered by Bank.
6.10. Confidentiality The information given in this document is confidential and is for use by the Bidder to whom
it has been issued. Each party, i.e. the Bank and the Bidder, shall treat the other party’s
information as confidential and will take necessary steps to prevent the disclosure of the
other’s confidential information to third parties. Both the parties will keep the contents of
the response confidential.
6.11. Clarification of Queries
• Bidder requiring any clarification on this RFQ may notify the bank in writing by e-mail
at the email address & by the date provided in the Invitation to Response section of
this document. Bidder shall send the queries only in the prescribed format specified in
Annexure 6 - Query Format mentioned in the document.
• No requests for clarification will be accepted via telephone. Bank shall respond over
email or in writing and post online any request for clarification of the RFQ document
that it receives until the date mentioned in section Invitation to Response of this
document. Any questions submitted post the last date to receipt the queries shall not
be considered by bank. In no event will bank be responsible for ensuring that Bidder’s
inquiries have been received by bank.
• It is to be noted that the Bank will respond to the clarification requests of only registered
bidders
• Bank may shall conduct a pre-response meeting to clarify any queries that the bidders
might have regarding the RFQ as per the date and time mentioned in ‘Invitation to
36
Response’ section. The venue of the pre-response meeting will be intimated to all
registered bidders through e-mail.
• Each Bidder should not depute more than 2 representatives for the pre-response
meeting. Bidder representatives should carry their company identification card on the
pre-Response conference day. Thereafter, email / written copies of Bank response
shall be sent to all primary contacts of the registered Bidders.
• If a Bidder discovers any significant ambiguity, error, conflict, discrepancy, omission,
or other deficiency in this RFQ, the Bidder should immediately notify Bank of such error
and request modification or clarification of the RFQ document, which modification
/clarification shall be at the sole discretion of Bank
• Bank will not be responsible for any queries which any of the Bidders claim to have
sent and which did not reach the designated email ids of Bank.
• Bank is not responsible to make any representation to the completeness or accuracy
of the responses, nor does it undertake to answer all the queries that have been posed
by the Bidders.
• While addressing pre-response queries please mention the name of RFQ along with
the name of organisation in the format “Pre response Query_RFQ_<Organisation
name>”
6.12. Supplementary information/Corrigendum/Amendment to RFQ If the Bank deems it appropriate to revise any part of this RFQ or to issue additional data to clarify an interpretation of the provisions of this RFQ, it may issue supplements to this RFQ. Such supplemental information will be communicated to the primary contacts (as mentioned in the Introduction Section) of all the Bidders registered with the Bank by e-mail or other suitable method as determined by the Bank. Any such supplement shall be deemed to be an integral part of this RFQ.
6.13. Amendment of the RFQ
• At any time prior to the last date of submission of response, Bank may, for any reason, whether at its own initiative or in response to a clarification requested by a prospective Bidder, modify the RFQ document by an amendment.
• The primary contacts as mentioned in (Tender document for UAT & Performance testing audit and IS Audit for India Post Payments Bank Limited) of all the Bidders registered with the Bank will be notified of the amendment in writing or by fax or by email or by publishing on the CPP Portal and such amendment will be binding on all the Bidders.
• In order to provide the Bidders, reasonable time in which to take the amendment into account in preparing their response, Bank may at its sole discretion extend the last date of submission of response.
6.14. Modification/Substitution/Withdrawal of Responses
The Bidder may modify, substitute or withdraw its responses at any time before its
acceptance, provided that written notice of the modification, substitution or withdrawal is
37
received by the Bank prior to the response due date. No response shall be modified,
substituted or withdrawn by the bidder on or after the response due date.
Any alteration/ modification in the response or additional information supplied subsequent to
the response due date, unless the same has been expressly sought for by the Bank, shall be
disregarded.
6.15. Fraudulent, Corrupt, Coercive & Undesirable & Restrictive Practice
Bank will reject a response for empanelment if it determines that the Bidder recommended for
empanelment has engaged in corrupt, fraudulent or coercive practices in competing for, or in
executing, the project(s)
“Fraudulent practice any omission or misrepresentation that may mislead or attempt to
mislead so that financial or other benefits may be obtained or an obligation avoided. This
includes making false declaration or providing false information for participation in the RFQ
process
“Corrupt Practice” making offers, solicitation or acceptance of bribe, rewards or gifts or any
material benefit, in exchange for an unfair advantage in the procurement process or to
otherwise influence the procurement process
“Coercive Practice” means harming or threatening to harm, directly or indirectly, persons or
their property to influence their participation in a procurement process, or affect the execution
of a contract
“Undesirable practice” means
c) establishing contact with any person connected with or employed or engaged by the
Bank with the objective of canvassing, lobbying or in any manner influencing or
attempting to influence the Empanelment Process; or
d) Having a Conflict of Interest;
“Restrictive practice” means forming a cartel or arriving at any understanding or arrangement
among bidders with the objective of restricting or manipulating a full and fair competition in the
empanelment process.
6.16. Disqualifications
Apart from the reason of non-compliance with the minimum eligibility criteria conditions
mentioned in section 6.2 the Bank, may at its own sole discretion, at any time during the RFQ
process, disqualify any Bidder from the RFQ process, if:
• The response to the RFQ was submitted after the deadline.
• Bidder has made / attempted to make misleading or false representations in the forms,
statements and attachments submitted in proof of the eligibility requirements.
• If it does not comply with the requirements and scope of this RFQ
• If a response does not follow the format requested in this RFQ.
• Response is not accompanied by required documentation.
38
• Bidder fails to provide information or documentary evidence or clarifications related
thereto, when sought.
• The Bank gets to know that the Bidder has withheld or suppressed the information which
would have entitled the Bank to reject or disqualify the Bidder even though the Bidder has
been qualified. The Bank reserves the right to reject the Bidder at any time whenever such
information comes to notice.
• Bidder is found to canvass, influence or attempt to influence in any manner the qualification
or selection process, including without limitation, by offering bribes or other illegal
gratification.
Since the above set of instances are only illustrative, the Bank at its sole discretion reserves
the right to disqualify any of the bidders for any of the reasons set above or any other without
sharing the details with the Bidder.
6.17. Cancellation of RFQ process
Bank reserves the right to accept or reject any response and to cancel the RFQ process and
reject all responses, at any time prior to the empanelment, without thereby incurring any
liability to the affected Bidder or Bidders or any obligation to inform the affected Bidder/s for
the reasons of the Bank’s action. Bank reserves the right to float fresh RFQ and/ or any
procurement approach as deemed fit
6.18. Applicable law and jurisdiction of court
Any dispute with the Bidder shall be governed in accordance with the Laws of India for the
time being in force and will be subject to the exclusive jurisdiction of Courts at Delhi (with the
exclusion of all other Courts).
7. RFQ for IS Audit Bidder
The purpose of this section is to define eligibility criteria to empanel a set of CISA certified
auditors for the Information Systems audit of IPPB. This section sets the expectations about
the activities to be covered under the information systems audit at data centre, disaster
recovery site, near disaster recovery site, corporate office and other branch locations as
necessary providing independent reasonable assurance to IPPB management on:
• Robust IT security
• Ensuring compliance to IT policies, information/cyber security policies, processes and
procedures defined by the Bank
• Safeguarding the IT assets viz. hardware, network, software etc.
• Maintaining security, confidentiality, integrity and availability of data
• Efficient utilization of IT resources of Bank
• Mitigation of risks where the security controls are weak
39
• Ensuring compliance of RBI guidelines/recommendation and other applicable external
regulations
• Comparison of IT/information/cyber security implementation by SI vis-à-vis RFP
floated by the IPPB
• Comparison of information security implementation vis-à-vis guidelines issued by RBI
or other regulatory bodies and best practices.
• Suggestions for any improvement required in the existing architecture.
7.1. Broad Scope of Work
To ensure that technology deployed for IPPB is being operated in a safe, secure, sound and
efficient manner, a system audit is required to be conducted of all IT systems for all the
applications. The IS audit should be comprehensive in nature and risk assessment should be
carried out prior to each audit cycle. This will ensure that the inherent risks involved in the in-
scope processes and systems are identified and considered for audit scoping/planning. The
IS auditor is also expected to perform the audit of VAPT and EAPT done for the bank either
by internal team or another vendor. During the course of review, IS auditor should look for the
below mentioned incidents. Details of the scope of work are also present in Annexure 8
Detailed activities. This list is indicative and auditor should leverage its experience to enhance
it further.
• IT policies (Information technology, cyber security, data privacy and information
security) guidelines and their adherence level
• Instructions issued by the authorities but not complied with
• Adequacy of Instructions vis-à-vis to relevant policy
• Role & responsibility of all relevant roles at data centre, disaster recovery site, near
disaster recovery site and other IPPB locations (including corporate office) as
necessary should be reviewed and its compliance level should be measured
• Effectiveness of monitoring of logs and issue trackers maintained by respective
departments
• Capacity utilization of the deployed systems, network and security equipment
• Bandwidth management
1. Locations/office to be covered
a) Data Centre
b) Disaster Recovery Centre
c) Near Disaster Recovery Centre
d) Corporate office
e) Other HO/SO/BO divisions of India Post or bank‘s any other office at any place, where
critical application/IT infrastructure is installed.
40
f) Premises/activities of any third party/service providers (outsourced activities) to review
compliance of services/T&C under service level agreements
2. Areas to be covered
Broad areas to be covered but not limited to, as a part of Information System audit is
mentioned below:
a) Risk assessment:
• Risk assessment should be carried out by IS auditor prior to each audit cycle
to identify areas where detailed audit would be required.
• Provide risk rating to each identified area to highlight severity of risk and its
mitigation
b) Policy, process and procedure review:
• Evaluate timely review & completeness of IT policies ( Information technology,
cyber security, data privacy and information security) and guidelines with
industry best practices for various IT infrastructure
• Evaluate role, responsibility and accountability of business process owners, IT
owners, data owners, IT custodians, data custodians
• Process audit - Evaluate the adequacy of policies, operating processes,
internal control procedures / guidelines documents
• Review and validate that adequate security & business continuity controls
governing the connection to other systems via telecommunications, intranet,
extranet & internet etc., have been put in place and covered in the respective
policy document.
• In case the formal procedures and controls are not in place for any activity,
evaluate the remediation applied, risk associated and give recommendations
for improvement as per industry best practices
c) Application review:
• Review that periodic checks/audits have been done to ensure that operational
level controls are in place for all business applications of the bank
• Review if the periodic checks are done in the rightful manner
• Periodic review of application to ensure that security controls are in place for
web-facing & critical applications.
d) Hardware & infrastructure review:
• Review and evaluation of the infrastructure landscape to support all the
applications
41
• Review of DC, DR and NDR sites to review their capacity, readiness, security
and adequacy
• WAN/LAN audit
• Inventory of IT assets
e) Compliance testing
• Comment upon compliance to ISO 27001 standards (or later standard to which
IPPB is certified)
• Compliance with RBI IT/Information/ Cyber Security guidelines
f) Audit of Vulnerability Assessment and Penetration testing (VAPT) carried out by
selected/ on boarded SI
• Review and ensure that VAPT was done properly and all observations were
highlighted and corrective actions were taken as per the defined risk appetite
level of the bank
g) Audit of External attack and penetration testing (EAPT) carried out by SI – This will be
carried for the equipment/applications/mobile application exposed to external world
h) Root cause analysis (RCA)
• Assist IPPB team to carry out root cause analysis of the incidents
i) Training
•
• IS auditor should provide training to Bank employees on half yearly basis to
identify risk and to perform root cause analysis
j) Incident Management review
• IS auditor should review whether Incidents are managed, monitored and
reported as per the RBI guidelines or other regulators like Cert-in, NCIIPC etc.
k) IT review/Security architecture review
• IS auditor should review IT /Security architecture implementation vis-à-vis RBI
guidelines and security best practices and suggest the solution if any.
l) Review of Access Control & Change Management Process
m) Review of Data Center/DR/ Near DR installation as per the standard level.
42
3. Reporting Requirement
Bidder should submit a detailed report at the end of each audit providing observations,
evidences and document details. Report should include but not limited to the below mentioned
points:
• Audit report of current quarter with status Repeat/ Exception or New
• Compliance status and observations of previous quarter report – complied/partially
complied/ non complied/ exceptions taken
• Unique ID for each highlighted observation
• Identify and highlight deficiencies in VAPT and EAPT performed for the bank. Broad
domain categorization of activity (Port/SQL injection/ Services/Physical access control/
Logical access control/ environment etc.)
• Risk category – High, Medium, and Low
• Servers/Resource affected
• Risk implications of the issue highlighted
• Explicit reference to key policy, process and procedure documents of the Bank against
identified risk/observation
• Recommendation for risk mitigation/ removal and identification of risk probability
• Suggestions for improvement – additional voluntary standards or regulations
applicable to the banking industry as best practices
• Summary of audit findings including identification tests, tools used and results of tests
performed
Note:
1.Bidder may further enhance the required information list as per the adopted approach for
audit and experience. The final format of the report will be agreed between employer and
Bidder before the final submission of report
2.Bidder should provide dashboard feature to enable IPPB employees to generate reports and
summary whenever required
3.All hardware and licenses if procured under this contract will be procured in the name of
employer only. Bidder should also transfer the licenses of any proprietary tool used by them
for dashboard feature to the Employer
4. Schedule and frequency of audit activities
S. No. Activity Periodicity
1 Risk assessment Quarterly
2 Policy, process & procedure review Quarterly
3 Review of Application & hardware
assessment
Quarterly
4 Compliance testing Quarterly
5 Audit of Vulnerability Assessment
and Penetration testing (VAPT)
Quarterly
6 Audit of External attack and
penetration testing (EAPT)
Quarterly
43
S. No. Activity Periodicity
7 Training to IPPB staff
8 Other activities (including but not
limited to Risk probability
assessment and RCA)
Quarterly
9 Review of Access control & Change Management Process
Quarterly
10 IT/Security Architecture Review Quarterly
11 DC/DR/NDR implementation review
Half Yearly
7.2. Eligibility Criteria
To become eligible to respond to this section of RFQ, Bidder should-
• Fulfil at its minimum all the below mentioned criteria in Table 3
• Achieve a total score of 7 or above based on criteria mentioned in Table 4
• Score 1 or above in each of the criteria mentioned in Table 4.
Table 3 Minimum Eligibility Criteria
# Eligibility Criteria Documents to be submitted
1 Bidder should have minimum turnover
of INR 5 CR in each of the financial
years (FY 2014-15, 2015-16, 2016 -
17). The same must be clearly
indicated in the Profit – Loss
account/Balance Sheet2.
1. Certificate of incorporation of the
Bidder
2. Copies of audited financial
statement (the profit and loss
statement or the balance sheet
showing the annual turnover) for
(FY 2014-15, 2015-16, 2016 -17)
2 Bidder should not have been black
listed between 01-Jan-2013 till 01-
Jan-2017 by the Central or any of the
State Governments in India or any
public sector Institution in India.
1. Self-declaration from the Bidder
3 Bidder should not be a Bidder/supplier
for Software and Hardware
components of the Bank or a technical
advisor/service provider of the bank.
1. Self-declaration from the Bidder
4 The Board of Directors of the Bidder
should not have anyone who has been
debarred by the RBI for any reason.
1. Self-declaration from the Bidder
2. Submit a list of the Board of
Directors of the Bidder as of the
date of submission of the response.
This list must be certified by the
2 For conversion of other currencies into Indian Rupees, the same shall be converted as on the date 60 (sixty)
days prior to the last date of submission of the response. The conversion rate of such currencies shall be the
daily representative exchange rates published by the International Monetary Fund for the relevant date
44
# Eligibility Criteria Documents to be submitted
company secretary of the Bidder
(signed and sealed).
5 The Bidder should be in the list of empanelled information security auditing organisations by CERT-in
1. Current valid empanelment certificate with CERT-in
Table 4 - Eligibility and Scoring Criteria
# Eligibility Criteria Documents to
be submitted Score
1 Bidder should have done
the IS audit of Data
Centres of at-least 5
Scheduled commercial
banks
1.Self-
declaration from
the Bidder
2. Copy of
purchase order
or a letter from
the Bank signed
by the
competent
authority on the
letter head.
No of scheduled commercial banks
Score
>= 5 and < 7
1
>= 7 and < 10
2
>= 10 2.5
2 Bidder must have ISO 27001 Lead Auditor certified professionals (permanent employees or contractors on the Bidder’s payroll) across India.
Self-declaration from the Bidder
No of certified professionals
Score
>= 2 and <5
1
>= 5 and < 10
2
>= 10 2.5
3 Bidder must have CISA
certified professionals
(permanent employees on
the Bidder’s payroll or
contractors) across India.
Self-declaration from the Bidder List of CVs to be submitted.
No of CISA certified professionals
Score
>= 10 and < 15
1
>= 15 and < 20
2
>= 20 2.5
45
# Eligibility Criteria Documents to
be submitted Score
4 Bidder must be in business of IS Audit in India.
Certificate from
the Bidder’s
Statutory
Auditor or
Chartered
Accountant
confirming the
Bidder is in the
business of IS
Audit for at least
3 years as on
31st March 2017
in India.
Years till 31-3-2017 Score
>=3 and < 4
1
>= 4 and < 5
2
>= 5 2.5
7.3. RFQ Response Evaluation Process
1. Scrutiny of Responses
The Bank will scrutinize the responses received to determine whether they are complete and
per the RFQ requirement, and also whether evidentiary documentation as asked for and is
required to evaluate the responses has been submitted, whether the documents have been
properly signed and information is provided as per the requirements etc.
The Bank may, at its discretion, waive any minor non-conformities or any minor irregularity in
the response. This shall be binding on all bidders and the Bank reserves the right for such
waivers.
2. Clarifications
1. Bank may seek clarifications from the Bidders on the content of their responses
2. All correspondence for the clarifications will be sent to the authorized signatory of the
Bidder
3. The Bidders are expected to provide the clarifications within the time frame to be specified
by the Bank
4. If the Bidders fail to provide any clarifications against such requests, Bank will make
appropriate assumptions on those points and proceed with the evaluation
3. Declaration of Empanelled Bidders
Post evaluating the responses, Bank will publish the list of Bidders on CPP Portal, who fulfils
the minimum set of requirements mentioned in this RFQ. These bidders will be empaneled by
the Bank for IS Audit.
46
7.4. Terms & Conditions The terms and conditions will be shared along with the detailed scope with the empanelled
vendors
47
7.5. Annexure
1. Cover Letter
(To be submitted on company letterhead)
Date:
To,
Manager Procurement
India Post Payments Bank
Malcha Marg Post Office Building,
Chanakya Puri, New Delhi - 110021
Dear Sir,
1.Having examined the Scope Documents including all Annexures, the receipt of which is
hereby duly acknowledged, we, the undersigned offer to supply, deliver, install and maintain
all the items mentioned in the ‘Request for Quotation’ and the other schedules of requirements
and services for your bank in conformity with the said Scope Documents.
2.If our response is accepted, we undertake to abide by all terms and conditions of this Scope
and also to comply with the delivery schedule as mentioned in the Scope Document.
3.We agree to abide by this Scope Offer for 180 days from date of response opening and our
Offer shall remain binding on us and may be accepted by the bank any time before expiry of
the offer.
4.This response, together with your written acceptance thereof and your notification of award,
shall constitute a binding Contract between us.
5.We undertake that in competing for and if the award is made to us, in executing the subject
Contract, we will strictly observe the laws against fraud and corruption in force in India namely
‘Prevention of Corruption Act, 1988’.
6.We certify that we have provided all the information requested by the bank in the format
requested for. We also understand that the bank has the exclusive right to reject this offer in
case the bank is of the opinion that the required information is not provided or is provided in a
different format.
Date:
Time:
Seal:
Authorized Signatory
48
(Name: Designation Contact Person, Business address Phone No., Fax, E-mail)
49
2. Conformity Letter
(To be submitted on company letterhead)
To, <Location,Date>
Manager Procurement,
India Post Payments Bank
Malcha Marg Post Office Building,
Chanakya Puri, New Delhi - 110021
Sir,
Sub: - Response to RFQ for empanelment of IS Audit Bidder
Further to our response dated DD.MM.YYYY, to the RFQ document (hereafter referred to as
“RFQ DOCUMENT”) issued by India Post Payments Bank (“Bank”) we hereby warrant and
confirm that:
1.We confirm that the information contained in this response or any part thereof, including its
exhibits, and other documents and instruments delivered or to be delivered to the bank is true,
accurate, verifiable and complete. This response includes all information necessary to ensure
that the statements therein do not in whole or in part mislead the department in its short-listing
process.
2.We have the technical, financial and management capabilities to support the requirements,
and have a successful performance history.
3.We fully understand and agree to comply that on verification, if any of the information
provided here is found to be misleading the short listing process, we are liable to be dismissed
from the selection process or termination of the contract during the project, if selected to do
so.
4.We agree that you are not bound to accept any tender response you may receive. We also
agree that you reserve the right in absolute sense to reject all or any of the products / services
specified in the tender response.
5.We declare that our offers of products, licenses and services are duly and properly
authorized and that we will only use products, items, or IP which is either our own or we have
50
been authorized to sell or transfer. We further declare that that the proposed systems have
their origin in eligible countries.
6.We do hereby undertake that to the best of our knowledge and belief there is absence of
actual or potential conflict of interest on our part or any prospective Partner due to prior,
current, or proposed contracts, engagements, or affiliations with the Bank.
7.We also confirm that to the best of our knowledge there are no potential elements (time
frame for service delivery, resource, financial or other) that would adversely impact the ability
of the Bidder to complete requirements given in the RFQ.
8.We undertake and agree to indemnify and hold Bank harmless against all claims, losses,
damages, costs, expenses, proceeding fees of legal advisors (on a reimbursement basis) and
fees of other professionals incurred (in case of legal fees and fees of professionals,
reasonably) by Bank and/or its representatives, if any such conflict arises later.
9.We agree that you shall own and have the right in perpetuity to use all newly created IPR
which have been developed solely during the execution of the project including but not limited
to source code, object code, compilers, library files, executables, records, reports, designs,
application configurations, data and written material, products, specifications, reports,
drawings and other documents which have been newly created and developed by the
Bidder solely during the project.
10.It is hereby confirmed that we are entitled to act on behalf of our company / corporation /
firm / organization and empowered to sign this document as well as such other documents,
which may be required in this connection.
11.We hereby agree to comply with all the terms and conditions / stipulations as contained in
the RFQ document and the related addenda and other documents including the changes
made to the original RFQ documents issued by the bank.
12.The Bank is not bound by any other extraneous matters or deviations, even if mentioned
by us elsewhere either in our response or any subsequent deviations sought by us, whether
orally or in writing, and the bank’s decision not to accept any such extraneous conditions and
deviations will be final and binding on us.
13.It is hereby confirmed that we are entitled to act on behalf of our company / corporation /
firm / organization and empowered to sign this document as well as such other documents,
which may be required in this connection.
Yours faithfully
51
Authorized Signatory
Designation
Bidder’s corporate name
52
3. Self-Declaration
(To be submitted on company’s letterhead)
Date:
To,
Manager Procurement
India Post Payments Bank
Malcha Marg Post Office Building,
Chanakya Puri, New Delhi - 110021
Dear Sir,
I on behalf of _______________________ (Bidder’s name) declare the following:
1. We are in the business of conducting IS Audit in India
We have not been barred from providing the Services nor are we in negative
list/blacklisted in any manner whatsoever by any of the State/UT and/or central
government in India between 01-Jan-2013 till 31-Mar-2017 on any ground
including but not limited to indulgence in corrupt practice, fraudulent practice,
coercive practice, undesirable practice or restrictive practice We declare that
we have a dedicated 15 CISA certified professionals (permanent employees
or contractors on the our payroll) across India to handle the scope of work
mentioned in this RFQ
2. The systems/services offered to India Post Payments Bank Limited are
compliant and do not violate any Intellectual Property Rights.
3. We have performed IS audit of Data Centers of at least 5 Indian scheduled
commercial banks or financial institutions.
4. We are not a Bidder/supplier for Software and Hardware components of the
Bank or a technical advisor/service provider of the Bank.
5. None of our Board of Directors have has been debarred by the RBI
Place:
Date:
Bidder’s Company Seal:
53
Authorized Signatory’s Signature:
Authorized Signatory’s Name and Designation:
54
4. Power of Attorney for Signing the Response
(To be submitted on a INR 100 Stamp Paper only)
Know all men by these presents, we…………………………………………….. (name of the firm
and address of the registered office) do hereby irrevocably constitute, nominate, appoint and
authorize Mr/ Ms (name), …………………… son/daughter/wife of ………………………………
and presently residing at …………………., who is presently employed with us (the “Bidder”)
and holding the position of ……………………………. , as our true and lawful attorney
(hereinafter referred to as the “Attorney”) to do in our name and on our behalf, all such acts,
deeds and things as are necessary or required in connection with or incidental to submission
of our application for pre-qualification and submission of our response for the ***** Project
proposed or being developed by the ***** (the “Authority”) including but not limited to signing
and submission of all applications and other documents and writings, participate in pre-
applications and other conferences and providing information/ responses to the Authority,
representing us in all matters before the Authority, signing and execution of all contracts and
undertakings consequent to acceptance of our response, and generally dealing with the
Authority in all matters in connection with or relating to or arising out of our response for the
said Project and/ or upon award thereof to us and/or till the entering into of the agreement with
the Authority.
AND we hereby agree to ratify and confirm and do hereby ratify and confirm all acts, deeds
and things done or caused to be done by our said Attorney pursuant to and in exercise of the
powers conferred by this Power of Attorney and that all acts, deeds and things done by our
said Attorney in exercise of the powers hereby conferred shall and shall always be deemed to
have been done by us.
IN WITNESS WHEREOF WE,…………………………., THE ABOVE NAMED PRINCIPAL
HAVE EXECUTED THIS POWER OF ATTORNEY ON THIS ……… DAY OF …………. 2…..
For
Authorized Signature:
Authorized Signatory Name:
Witnesses:
1.
2.
Accepted
Attorney’s Signature:
Attorney’s Name:
Attorney’s Title:
55
Address:
Notes:
1.The mode of execution of the Power of Attorney should be in accordance with the procedure,
if any, laid down by the applicable law and the charter documents of the executant(s) and
when it is so required, the same should be under common seal affixed in accordance with the
required procedure
2.Wherever required, the Applicant should submit for verification the extract of the charter
documents and documents such as a board or shareholders’ resolution/ power of attorney in
favor of the person executing this Power of Attorney for the delegation of power hereunder on
behalf of the Applicant
3.For a Power of Attorney executed and issued overseas, the document will also have to be
legalized by the Indian Embassy and notarized in the jurisdiction where the Power of Attorney
is being issued.
4.However, the Power of Attorney provided by Applicants from countries that have signed the
Hague Legislation Convention 1961 are not required to be legalized by the Indian Embassy if
it carries a conforming Apostille certificate.
56
5. Bidder Details Details given in this form must be accompanied by documentary evidence to facilitate
verification. Documents given with the Eligibility Criteria need not be given again. All relevant
details are to be given separately for the bidder
General Details
S. No. Details
1. Name of Company
2. Postal Address
3. Telephone, Fax Number, Email Address
4. Nature of activity
5. Details of ownership
6. Holding company or parent company
7. Name and designation of the person commitments to the bank
authorized To make
8. Website address
9. GST Number
10. Income Tax PAN
11. No. of Personnel who are employed for IS Audit services
12. Brief description of facilities for undertaking the services, along with location
Financial Services
13. Annual Turnover (2014-15)
14. Annual Turnover (2015-16)
15. Annual Turnover (2016-17)
57
6. Query Format
Sr.
No.
Query reference Number
Page
#
Point /
Section #
Content of RFQ requiring clarification
Points of Clarification Banks
Response
(Bidder Should not fill in this column)
1
2
3
4
5
6
7
8
9
58
7. Declaration on absence of Conflict of Interest (To be submitted on the Letterhead of the Bidder)
(Place), (Date)
To, Senior Manager (Procurement)
India Post Payments Bank,
Malcha Marg Post Office Building,
Chanakyapuri,
New Delhi – 110 021
India
Subject: Declaration regarding absence of conflict of interest in selection of Contact Centre Service Provider for India Post Payments Bank
Dear Sir / Madam,
We do hereby undertake that there is absence of, actual or potential conflict of interest on the part of the IS Audit provider or any prospective partner due to prior, current, or proposed contracts, engagements, or affiliations with Bank.
We also confirm that there are no potential elements (time frame for service delivery, resource, financial or other) that would adversely impact the ability of the IS Audit service provider to complete requirements given in the RFQ.
We undertake and agree to indemnify and hold Bank harmless against all claims, losses, damages, costs, expenses, proceeding fees of legal advisors (on a reimbursement basis) and fees of other professionals incurred by Bank and/or its representatives, if any such conflict arises later.
Dated this __________ day of ___________ 2017.
Yours sincerely, On behalf of [Bidder’s Name]: Authorized Signatory Name: Title of Signatory: Name of Firm: Address:
Seal / Stamp of Bidder:
59
8. Detailed Activities
Bidder is expected to evaluate the aspects including but not limited to the points mentioned
below for respective domains. Evaluate and comment on compliance by Bank as per Security
Policy/ Procedures, ISO 27001 standards, regulatory guidelines and Industry best practices.
Note: The below mentioned list is indicative and Bidder should enhance this list as per their
experience and approach used for the IS audit
1. Policy, process and procedure review
1.1. Business strategy review
• Review that business strategy is documented and objectives have been clearly defined
• Role of IT should be clearly spelt out in the Business Strategy document
• Periodic assessment should have been done to ensure that IT initiatives are supporting
the organization’s mission and goals
• Impact of major developments in technology on business strategy should have been
reviewed and documented periodically
1.2. IT strategy review
• Review of long and short term IT strategy of IPPB
• IT strategy should be approved by the management and contains IT department
structure along with roles and responsibilities
• Broad strategy for procurement of hardware, software solutions, Bidder development
and management should be in place
• Conversion of long term IT plans to short term IT plans regularly for achievability
• Adequate resources should be allocated for long term and short term IT strategy
• Regular assessment should be done by relevant stakeholders to maintain the track
1.3. IT security policy review
• IT security policy of IPPB should be in place. Policy should be reviewed and approved
by senior management
• Policies related to IT activities should be listed in the security policy
• Policy should take in account the business strategy, legal and regulatory requirements
• Policy should be communicated to all concerned people and should be understood by
the team
• Review process should be in place for reviewing the policy at periodic intervals and /
or on any other major event
1.4. Other policy and procedure review
60
• Outsourcing
a. Review that service levels are defined and managed for outsourcing activities
b. Review that the Non-Disclosure agreement (NDA) should be in place
c. Responsibility and liability of bidders should be defined
d. Ensure that service level agreements (SLAs) covers key performance indicators which
formalize the performance criteria with penalty clause against which the quantity and
quality of service is measured
e. Monitoring of bidders activities as per SLAs defined
f. Review the penalties levied in each case of SLA breach and ensure that it should in
line to defined SLA
• Business continuity
a. Review Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) and their
adequacy / completeness including Cryptographic Disasters
b. Review and ensure that one to one mapping of DR and DC equipment (servers,
network, security) with respect to configuration, OS version, and patch-updation.
Report any deviations and risk associated with it
c. Specify events which could restrict successful shifting to DRS in case of any
disruptions at main site
d. Review of actual execution of processes and procedures during the drill at DC, DR and
NDR and comment on drill exercise
e. Bidder should evaluate timely review of BCP guidelines
• Inventory maintenance
a. Review IT asset maintenance and classification policy and check for unauthorized
software
b. Review software storage control and license management policy
• Help desk policy
a. Review help desk policy and facility which provides first-line support and advice
b. Review prioritization of reported problems and timely resolution of reported problems
c. Review that the problems and incidents that are resolved are investigated and
necessary steps are taken to prevent any recurrence
d. Ensure trend analysis along with root cause analysis is done and reports are published
as per the specified time frame
e. Review that the audit trails are maintained and problem tracking and escalations are
done on time with proper documentation
61
• Media storage policy
a. Review and ensure that responsibilities for media (magnetic tape, cartridge, disks and
diskettes) library management are assigned to specific members of the IT
function/team
b. Review the housekeeping procedures and ensure that are designed to protect media
library contents
c. Review the standards defined for the external identification of magnetic media and the
control of their physical movement and storage to support accountability
d. Review the process defined to maintain the inventory of media library containing data
• Storage management policy
a. Review the storage policy and ensure that policy covers the retention period and
storage terms for at least the below mentioned items:
i. Documents
ii. Data
iii. Programs
iv. Reports
v. Messages (incoming and outgoing)
vi. Keys, certificates used for their encryption and authentication.
vii. Log files for various activities
viii. Policy and Procedures for purging of data.
• Protection of disposed sensitive information
a. Review procedures to prevent access to sensitive information and software from
computers, disks and other equipment or media
b. Procedures should ensure that data marked as deleted or to be disposed cannot be
retrieved by any internal or third party
c. Protections of records from loss, destruction and falsification in accordance to
statutory, regulatory, contractual and business requirement
2. Hardware
• Hardware acquisition, installation, usage and disposal procedures should be clearly
defined
• Methodology used to forecast the resources required as per IPPB policies
• Server procurement, sizing (hard disk, RAM, processor etc.) is done as per the
business requirement
• Server capacity is sufficient to take work load as per short and long term plan.
62
• Efficient utilization of hardware resources
• Adequacy of storage and scalability to cater future growth requirements
3. Application level review
• Ensure that the releases of software is governed by formal procedures
• Review of change control activities
• All requests for change are assessed in a structured way for all possible impacts on
the operational system and its functionality is reviewed
• Impact analysis of change requests are done before implementing any changes.
Associated documents and procedures are updated accordingly
• Ensure that the maintenance personnel have specific assignments and that their work
is properly monitored. System access rights for resource should be controlled to avoid
risks of unauthorized access
• Review of Access logs and audit logs
• Communicating users with new features during version upgradation
• Regular updates of job cards with new version releases
• Media of the Applications should be present in the software library
• Review of setup, configuration, security and control of all application & their interface
with external applications in terms of bank‘s security guidelines and other regulatory
guidelines
• Monitoring procedure for uptime and incident management of applications as per the
SLA defined
• Adequate internal controls should be in place to minimize errors and fraud
• Review of interface with other organizations/application for utility payments and other
functionalities
• Review of applications performance, scalability, availability, security & controls
• Ensure that proactive virus/malware/spyware etc. prevention and detection procedures
are in place and implemented
• Review monitoring of system performance and resource usage to optimize computer
resource utilization
• Review that authentication controls and work flows are working for each application
• Review of patch management process on Servers/Applications/OS/Desktops/Mobile
devices
• Review of VAPT/Hardening process
4. Network Management
• Review of overall network management
63
• Review of network design – scalability and redundancy
• Review Network cabling and IP Sec implementation
• Evaluate processes adopted for
• Transmission of data
• Bandwidth management
• Uptime against the SLAs
• Fault Management
• Capacity planning
• Audit log review and maintenance
• Performance management
• Review IPV6 readiness of the bank
• Analyze the logs maintained for Network Incident
• Review of security architecture implementation
5. Network and security equipment
• Router, Firewall, Proxy, Intrusion Prevention System, Switch, Modems etc. procured
and installed should be in line with business strategy/IT Policy/Information/Cyber
Security policy of IPPB
• Evaluate the installation, deployment/ placement, configuration, security, policies
defined in respective equipment for meeting the security requirement of the LAN &
WAN as per IT Policy/Information/Cyber Security policy of IPPB and industry best
practices.
• Regular monitoring of incident logs should have been done
• Evaluate centralized control of hardware installed and their password management
• Review of access control monitoring and logging mechanism through VLAN‘s, remote
accesses, WAN access, internet access, third party access
• Review of network security processes, redundancy & fall back mechanisms
6. Data base management system and data security
• Use of Data Repository System (DRS), Data Definition Language (DDL), Data
Manipulation Language (DML)
• Storage of duplicate copy of Data Definition and DRS at off-site
• Monitoring of log of changes to the Data Definitions
• Review of Data Dictionary and Data Directory System
• Review of procedures to ensure that all data are classified in terms of sensitivity and
necessary safeguards for its confidentiality, integrity and authenticity are taken as per
IT Security Policy
64
• Logical access controls which ensure the access to data is restricted to authorized
users
• Review to ensure that confidentiality and privacy requirements are met
• Review of authorization, authentication and access control
• Ensure that segregation of duties is in place for accessing data
• Review of purging policy-procedures of Data Files
• Review of protection of sensitive Information during transmission and transport.
• Separation and rotation of duties should be in place
• Review of controls procedures for sensitive DB passwords.
• Review to ensure that patches and new versions are updated as and when released
by Bidder/ Research and Development team. If not done then comment upon
vulnerabilities and availability of services of existing version being used.
7. Wide area network audit
• Bidder should check configuration of routers, switches and current network & security
posture of the WAN architecture
• Review IP Addressing schemes and their allocations
• Review physical & logical separation of the Networks
• Review network & security products/technologies deployed and their adequacy to
ensure security and connectivity
• Review IP Sec implementation
• Review and highlight any network bottlenecks & performance issues
• Review of Inter-operability of CO/ZNC/CNC/NC LANs with Corporate WAN
• Review availability of the Network and ensure SLAs are met
• Review SLA levels maintained by third parties & monitoring of key performance
indicators by bank
• Review scalability & robustness of network.
• Review network administration and management tools & EMS.
• Review availability and quality of system documentation.
• Review and evaluate integration of various extranet with Bank‘s network.
8. Security operation center
• Review of SOC infrastructure and implementation
• Review of SOC processes, SLA Management process for SOC
• Review the configuration parameters and adequacy of staff working at SOC
65
• Review of reporting responsibility and periodicity of report
• Review the process of information sharing by bank‘s DC/DR team
• Review of work authorization system between outsource service provider and bank‘s
team
• Review of access control, customer data privacy & confidentiality maintained at SOC
• Review of SOC implementation as per RBI guidelines or other regulators and industry
best practices.
9. Network operation center
• Review of NOC infrastructure and implementation
• Review of NOC processes, SLA Management process for NOC and check for the
adherence of these SLAs
• Review the configuration parameters and adequacy of staff working at NOC
• Review of reporting responsibility and periodicity of report generated
• NOC should be certified as ISO 27001 compliant
• Review of NOC implementation as per RBI guidelines or other regulators and industry
best practices.
10. Access Control & Change Management Process
Review of access control process for IBBP employee/SI/Bidder to any IPPB asset
including DC/DR and Near DR site as per Information Security Policy of IPPB &
industry best practice.
Review of Change management process for IT assets including applications, H/w,
Network & security solutions.
11. Training requirements
• Bidder should provide training to Bank employees on half yearly basis to identify risk
and to perform root cause analysis
• Bidder should educate IPPB employees to identify potential risk and techniques to
mitigate that risk
Bidder should confirm at the end of the audit that functioning of activities audited are in
compliance with:
1.Bank’s IT and security policies
2.External regulations i.e. IT Act 2000, IT (Amendment) Act 2008, RBI guidelines &
recommendations, Banker‘s Evidence Act, Gopalakrishna Recommendation and any other
legal and regulatory requirements.
3.Compliance to ISO 27001 standards (or later version) for the activities complied to it
4.Adherence to Long and short term IT plan
5.Adherence to the business strategy of IPPB
66
8. Empanelment Period
1.The Selected Bidder/s will be empaneled for a period of 3 years from the date of result
declaration
2.Empanelment doesn’t mandate IPPB to provide work orders to the bidders
3.At the end of the empanelment period, IPPB at its sole discretion can extend the
empanelment period of either all Bidder/s or a selected few
4.IPPB can run fresh RFQ process in the middle of the empanelment period to empanel new
bidders
9. List of Abbreviations
Acronym Full Form
CBS Core Banking System
IS Information Security
DC Data Centre
DRC Disaster Recovery Centre
NDR Near Disaster Recovery
HO Head Office
IT Information Technology
NPCI National Payments Corporation of India
IPS Intrusion Prevention System
BCP Business Continuity Plan
DB Database
WAN Wide Area Network
LAN Local Area Network
IPPB India Post Payments Bank
UAT User Acceptance Testing
RFQ Request for Qualification
CERT-in Indian Computer Emergency Response Team
SLA Service Level Agreement
