Tender No.

062008

Banking with personal touch

REQUEST FOR PROPOSAL (RFP)

FOR

Consultancy for ISO27001 Certification

Bank of Maharashtra
Central Office
Information Technology Department
1501, Lokmangal, Shivajinagar
Pune- 411 005
Phone : 25536051 / 25532731- Extn-291/350
Fax : 25521568
Email : bomcoit@mahabank.co.in
Website: www.bankofmaharashtra.in

Cost of Tender Document: Rs.5000/-

BOM- RFP- ISO 27001 Certification -1-
 Contents
_______________________________________________________
PART I Invitation for tender offers
PART II Instructions to Bidders
PART III Terms and Conditions
ANNEXURE 1 Format of tender offer cover letter
ANNEXURE 2 Bidders Information
ANNEXURE 3 Proforma for Bank Guarantee
ANNEXURE 4 Scope of work
ANNEXURE 5 Commercial Bid
ANNEXURE 6 Format for CV
ANNEXURE 7 Check list of documents to be submitted
______________________________________________________________

BOM- RFP- ISO 27001 Certification -2-

1. Invitation for Tender offers
Introduction
Bank of Maharashtra, established in 1935, was nationalized in the year 1969. The Bank is a
force to reckon with as it is having more than 900 branches in the State of Maharashtra itself
with a largest network of branches by any Public Sector Bank in this state.
The Bank has a four-tier organizational structure comprising of Branches, Regional Offices,
Circle Offices and Central Office with a network of more than 1376 branches, spread across
the country. The Bank has specialized branches catering to the needs of Industries,
Corporate clients, Exporters & Importers, Small Scale Industries and Agriculturists.

As a part of modernization of banking services of the Bank in tune with the emerging
technologies and with a view to provide integrated products and services to the customers,
the Bank has embarked upon a series of technology initiatives including implementation of
Core Banking Solution (‘CBS’). Various IT initiatives taken by the bank so far are-

• Implementation of Core Banking Solution covering more than 700 branches spread
across the country. The bank has established tier 3 data centre at Pune with disaster
recovery site at Hyderabad ( co-hosted at Hi tech Park city in TCS premises)

• Commissioned the Bank’s Wide Area Network ‘MAHANET’ which connects more
than 700 branches, all Regional Offices, Circle Offices and Central Office

• Is a member of Indian Financial Network (INFINET) set up by Institute for

Development & Research in Banking Technology (IDRBT) for the purpose of inter-
bank and intra-bank communication and settlements.

• Has deployed a mail messaging solution using IBM Lotus Domino server at Data
Centre with DR site at Hyderabad.

• Development of various in-house application software for departments of Central

Office, Regional Office, Service Branch, etc. using FoxPro, VB-SQL, etc.

• Setup and installation of 345 ATMs across the country with Visa affiliation for the
card.

• Setting up of the state of the art IT Training Institute at Pune for imparting training in
all IT related areas and products.

• Introduction of Internet banking, Mobile banking and Telebanking.

• The bank has computerized all the Rural and semi urban branches using Nelito
BIBAS software (Bi lingual branch automation software.)

• The bank has prepared Information Security Policies and Procedures for
implementation across the organization..

In view of these major strides in the field of I.T, it has now been decided to go for ISO
270001 certification. Hence Bank of Maharashtra invites sealed tender offers (Technical
bid and Commercial bid) from eligible, reputed firms for Consultancy for ISO 27001:2005
certification for Central Office-IT deptt, Data Centre, Disaster Recovery site and CBS
Project Management Office as specified in the Scope of Work.

BOM- RFP- ISO 27001 Certification -3-

A complete set of tender documents may be purchased by eligible bidder upon payment of a
non-refundable fee of Rs.5000/- (Rs. Five Thousand only) by demand draft / banker’s cheque
in favour of Bank of Maharashtra and payable at Pune.

Bid Collection and Submission

Tender Reference number 062008

Price of Tender Copy Rs.5000/-
Earnest Money Deposit (EMD) Rs.1 lakh
Date of commencement of sale of tender 24/09/2008
document
Last Date of sale of tender document 23/10/2008
Queries to be mailed by 01/10/2008
Pre-Bid meeting with Bidders 13/10/2008 at 11.00 hrs
Last Date and Time for receipts of tender offers 23/10/2008 up to 15:00 hrs
Time and Date of Opening of technical bids 23/10/2008 at 16:00 hrs
Place of Opening tender offers Bank of Maharashtra
Information Technology
Department,
Central office,1501,Lokmangal,
Shivaji Nagar,Pune-411 005.
Address for Communication As above
Contact Telephone Numbers Phone no :020-25536051
020-25520708
Fax no: 020-25521568

Tender offers will be opened in the presence of the bidder representatives who choose to
attend the opening of tender on the above-specified date, time and place.

Technical Specifications, Terms and Conditions and various formats and pro forma for
submitting the tender offer are described in the tender document.

General Manager
IT, BPR & MIS

BOM- RFP- ISO 27001 Certification -4-

2. Instructions to bidders

2.1. Two Bid System Tender

Two Copies of the Technical Bid (Each in Separate Envelopes) & One Copy of the
Commercial Bid must be submitted at the same time, giving full particulars in separate
sealed envelopes at the Bank’s address given below, on or before the schedule given
above. All envelopes should be securely sealed and stamped. The sealed envelope
containing Commercial bid must be submitted separately to the Bank. The softcopy of
the technical Bid should also be provided in a CD along with the technical bid. The
hard copy of the bid document shall be treated as correct and final, in case of any
errors in soft copy.

Earnest Money Deposit must accompany all tender offers as specified in this
tender document. EMD amount/Bank Guarantee in lieu of the same should not be
mixed with Technical/Commercial bid. It should be in separate cover to be handed
over to the department.

Bank’s address
Dy. General Manager
IT, BPR & MIS
Bank of Maharashtra
“Lokmangal”,
1501, Shivajinagar
Pune - 411005

All the envelopes must be super-scribed with the following information:

• Type of Offer (Technical or Commercial)

• Tender Reference Number
• Due Date
• Name of Bidder
• Name of the Authorised Person

All Schedules, Formats and Annexures should be stamped and signed by an

authorized official of the bidder’s company.

The bidder will also submit copy of the RFP duly stamped and signed on each page
by the authorized official of the bidder’s company.

ENVELOPE-I (Technical bid):

The Technical bid should be complete in all respects and contain all information asked for,
except prices. The TECHNICAL BID should include all items asked for in Annexure-2. The
Technical bid should not contain any price information. The TECHNICAL BID should be
complete to indicate that all products and services asked for are quoted and should give
all required information. A copy of original Commercial offer with prices duly masked
should be submitted along with the Technical Bid.

BOM- RFP- ISO 27001 Certification -5-

ENVELOPE-II (Commercial bid):

The Commercial bid should give all relevant price information and should not contradict the
TECHNICAL BID in any manner.
The prices quoted in the commercial bid should be without any conditions. The bidder should
submit an undertaking that there are no deviations to the specifications mentioned in
the RFP either with the technical or commercial bids submitted.

These three envelopes containing the Technical bids (Two copies in Separate envelopes)
and Commercial bid should be separately submitted. Please note that if any envelope is
found to contain both technical and commercial bid, then that offer will be rejected outright.

The three envelops will have to be handed over to any of the following persons who will
provide an acknowledgement for receipt of the envelopes.

1. Mr Tushar Talegaonkar, Senior Manager-IT

2. Mr Sanjeeb Nayak, Senior Manager-IT

Bank’s Address
Bank of Maharashtra, IT Department
“Lokmangal”, 1501, Shivajinagar
Pune - 411005

2.2. Annexure to the Tender

This tender comprises of following schedules / Annexures

Annexure 1: Format of Covering Letter

Annexure 2: Bidder’s Information
Annexure 3: Proforma of Bank Guarantee for Earnest Money
Annexure 4: Scope of Work
Annexure 5: Commercial Bid
Annexure 6: Format of CV for the Professionals to be Involved In the consultancy for design
implementation and certification ISO 27001:2005.
Annexure 7: Check List of documents to be submitted.

2.3. Eligibility Criteria

The bidders, who fulfil the eligibility criteria mentioned in “Qualification Criteria” of the tender,
will only be eligible for further process i.e. technical evaluation.

2.4. Terms and Conditions

Terms and conditions for bidders who participate in the tender are specified in the
section called “Terms and Conditions”. These terms and conditions will be binding on all the
bidders. These terms and conditions will also form a part of the purchase order, to be issued
to the successful bidder(s) on the outcome of the tender process.

2.5. Non-transferable Tender

This tender document is not transferable. Only the bidder, who has purchased this
tender form, is entitled to quote.

BOM- RFP- ISO 27001 Certification -6-

 2.6. Soft Copy of Tender document

The soft copy of the tender document will be made available on the bank’s website.
However Bank of Maharashtra shall not be held responsible in any way, for any
errors/omissions/mistakes in the downloaded copy. The bidder is advised to check the
contents of the downloaded copy for correctness against the printed copy of the tender
document. The printed copy of the tender document shall be treated as correct and final,
in case of any errors in soft copy.

The bidders who are submitting the bid by downloading from the Bank’s website will have
to pay the non-refundable fee of Rs.5000/- by way of a demand draft / bankers’ cheque in
favour of Bank of Maharashtra payable at Pune while submitting the bid.

2.7. Offer validity Period

The offer should hold good for a period of 180 days from the date of the opening of
Commercial bid.

2.8. Address for Communication

Offers should be addressed to the following office at the address given below:

Deputy General Manager

IT, BPR & MIS
Bank of Maharashtra
Central Office, “Lokmangal”
1501, Shivaji Nagar
Pune - 411005

Emails: dgmitd@mahabank.co.in,
cmitd@mahabank.co.in,
ashok.singh@mahabank.co.in
tushar.talegaonkar@mahabank.co.in

2.9. Pre-Bid Meeting

For the purpose of clarification of doubts of the bidders on issues related to this RFP, Bank
of Maharashtra intends to hold a Pre-Bid Meeting on the date and time as indicated in the
RFP. The queries of ALL the bidders should reach in writing or by e-mail on or before
01/10/2008 on the address as mentioned above. It may be noted that no queries of any
bidder shall be entertained received after the Pre-Bid Conference. The clarifications given in
the Pre-Bid meeting will be available on the Bank’s Website.

Only the authorized representatives of the bidders who have purchased the RFP will
be allowed to attend the Pre-Bid meeting.

2.10. Opening of Offers by Bank of Maharashtra

Tender offers received within the prescribed closing date and time will be opened in the
presence of bidders’ representatives who choose to attend the opening of the tender on the
specified date and time as mentioned earlier in the tender document. The bidder’s
representatives present shall sign a register of attendance and minutes and they should be
authorized by their respective companies to do so. A copy of the authorization letter should
be brought for the Bank to verify.
BOM- RFP- ISO 27001 Certification -7-
 2.11. Scrutiny of Offers

Scrutiny of Bids will be in three stages as under:

¤ Eligibility Criteria:
Bank of Maharashtra will first scrutinize the eligibility of the prospective bidders as per
“Eligibility criteria” mentioned in the RFP based on the documents submitted. The offers of the
only those bidders who fulfil the above eligibility criteria will be taken up for further scrutiny i.e.
technical evaluation.

¤ Technical evaluation:

Bank of Maharashtra will scrutinize the technical offers. Bank of Maharashtra will determine
whether the technical details along with documents have been furnished as per RFP and
whether items are quoted as per the schedules / Annexures. The bidders who qualify in
technical evaluation will only be short-listed for commercial evaluation.

The technical evaluation will be done on the basis of the information provided in the
“Bidder’s Information” format along with supporting documents. The bidder will have
to give a presentation on the following points as a part of the technical evaluation.

1. Process approach for ISO 27001:2005 design & Implementation.

2. Risk Assessment process approach and methodology
3. ISMS development activities details.
4. Pre-audit assessment process plan and execution.
5. Certification audit stage plans.
6. Surveillance audit plans.
7. Statement of Applicability: - approach and completion
8. Deliverables
9. Project timeline and completion plan
10. Consultancy Team details such as qualifications, experience etc
11. Case study of any ISO 27001:2005 certification carried out in the past.

A team of Bank officials along with the Bank’s consultant will evaluate the bidder on the above
mentioned points. Each of the above mentioned point will carry a weightage of 10 points .The
bidder will have to procure a minimum 75 points to qualify technically.

The points given by the evaluation team is final and the Bank will not entertain any
queries on the points given to a particular bidder or its competitors.

• Commercial evaluation:
Bank of Maharashtra will open and scrutinize the commercial offers of the technically
qualified bidders only. The Commercial bids will have to be submitted in the format as per
Annexure -5. Commercial bids should not have any alteration or overwriting. The bank may
reject or load the financial implication of any alteration, if found into the commercial bid
submitted by the respective bidder. The calculation arrived by the Bank will be final and will be
binding on the bidders. If any cost items in the commercial bid is found to be blank and not filled
with any amount then it shall be considered as zero and the same will be offered to the Bank
free of any charges.

BOM- RFP- ISO 27001 Certification -8-

 2.12. Clarification of Offers

To assist in the scrutiny, evaluation and comparison of offers, Bank of Maharashtra may, at
its discretion, ask some or all bidders for clarification of their offer. The request for such
clarifications and the response will necessarily be in writing.

2.13. No Commitment to Accept Lowest or Any Tender

Bank of Maharashtra shall be under no obligation to accept the lowest or any other offer
received in response to this tender notice and shall be entitled to reject any or all offers
including those received late or incomplete offers, without assigning any reason
whatsoever. Bank of Maharashtra reserves the right to make any changes in the terms and
conditions of the RFP. Bank of Maharashtra will not be obliged to meet and have discussions
with any bidder, and or to listen to any representations.

2.14. Submission of Technical Details

It is mandatory to provide the technical details in the exact format of Bidder’s

Information as per Annexure-2. The offer may not be evaluated by Bank of
Maharashtra in case of non-adherence to the format or non-submission / partial
submission of technical details as per the format given in the tender. Bank of
Maharashtra will not allow/permit changes in the technical specifications once it is
submitted. The relevant information, printed brochure, technical specification sheets etc.
should be submitted along with the offer. Failure to submit this information along with the
offer could result in disqualification (Please refer to the suggested checklist given in this
document)

2.15. Format for Technical bid

The Technical bid must be made in an organized, structured and neat manner.
Brochures/leaflets etc. should not be submitted in loose form. This can be divided into three
parts - the first part should contain the documents supporting the eligibility of the vendor to
participate in the tendering process as per the eligibility criteria mentioned in the RFP , the
second part should contain the technical details of the proposed project and the third part
should contain the technical brochures etc.

BOM- RFP- ISO 27001 Certification -9-

The suggested format for submission of Technical bid is as follows:
1. Index
2. Covering letter. This should be as per Annexure-1.
3. Details of the bidder, as per Annexure-2.
4. Compliance of eligibility criteria along with support documents in following format.

Sr Short Description of Eligibility Criteria Submitted Write figures

No Yes/No wherever
required

1 Certificate of Incorporation/ Partnership deed

2 Balance Sheets -
2005- 06
2006- 07
2007-08 (If the Balance sheet is provisional the
CFO of the company should certify the same
under company’s seal)
3 Profit figure Profit:(Rs in
2005-06 lacs)
2006-07
2007-08
4 Details of minimum six experts/Certified
Resources with minimum one each from

a) CCNA/CCNP
b) CISSP/CISA
c) BS 7799 / ISO 27001:2005 Lead Auditor

Bio Data in the enclosed format along with the

copies of certificate.
5 Team Leader must be ISO 27001:2005 Lead
Auditor having experience of conducting ISO
27001:2005 audit
6
Necessary certificates having executed orders of
value of minimum Rs.25 lacs during last three
financial year for ISO27001 Certification audit
of Data Center out of which one should be for a
commercial bank or financial institution (This
certification from the client in addition to the copies
of purchase orders enclosed)
7
Whether involved directly or indirectly in
implementation or audit of security and network
infrastructure of Bank Of Maharashtra
8 Self-declaration for being Not blacklisted

The eligibility criteria will be verified based on above compliance table duly filled by
the bidder along with the supporting documents.

BOM- RFP- ISO 27001 Certification - 10 -

5. The bidder should give undertaking that bidder complies/ accepts all terms and
conditions stipulated in the RFP without any deviations.
6. Implementation methodology
7. Details of Risk assessment and audit tools.
8. Design, implementation and certification methodology document.
9. Deliverables
10. Project time plan for implementation and ISO 27001:2005 certification.
11. Valid Bank Draft / Bank Guarantee in lieu of EMD (To be submitted in a separate
envelope along with the First Copy of Technical Bid.)
12. Bidder’s Financial Details (audited balance sheets, annual reports etc.) and other
supporting documents, as asked in the tender document
13. Copy of the Commercial Bid duly masking the price column.
14. Details of certification authority.

2.16. Masked Commercial

The bidder should submit a copy of the actual price bid being submitted to the bank by
masking the actual prices. This is mandatory. The bid may be disqualified if it is not
submitted.

2.17. Format for Commercial bid

The Commercial bid must not contradict the Technical bid in any way. The suggested
format for submission of Commercial bid is as follows:

a. Index
b. Covering letter
C. Commercial Version of commercial bid document as per Annexure -5
d. A statement that the bidder agrees with Payment terms given in the tender.

2.18. Costs & Currency

The offer must be made in Indian Rupees only, and price quoted must include all taxes and
levies.
2.19. Fixed Price

The Commercial bid shall be on a fixed price basis, inclusive of all taxes and levies at site
as mentioned above. No price variation relating to increases in customs duty, excise
tax, Service tax, dollar price variation etc. will be permitted.

2.20. No Negotiation

It is absolutely essential for the bidders to quote the lowest price at the time of making the
offer in their own interest, as Bank of Maharashtra will not enter into any price
negotiations,.

2.21. Short-listing of Bidders

Bank of Maharashtra will create a short-list of technically qualifying bidders and the
Commercial bids of only these bidders will be opened.

BOM- RFP- ISO 27001 Certification - 11 -

2.22. Right to Alter location and/or Scope

Bank of Maharashtra reserves the right to alter the proposed locations /scope. Bank of
Maharashtra also reserves the right to remove one or more locations from the list of
locations specified in tender. In case location is removed then amount quoted for that
location and other expenses should be reduced proportionately.

2.23. Qualification Criteria

Eligibility of the Bidder

a) The Bidder should be a PSU / PSE / a limited company / a registered partnership firm
having existence in India. The necessary certificates, for example, Certificate of
Incorporation in case of a Limited company, Registration Certificate along with the latest
partnership deed in case of partnership firm should be submitted with the offer.
b) The Bidder should be in existence for five years as on 31.03.2008. (In case of mergers/
acquisitions/ restructuring or name change, the data of establishment of earlier/ original
Partnership Firm/ Limited Company can be taken into account)
c) The Bidder Company / firm should have made profits in the last three financial years i.e.
2005-2006, 2006-2007 and 2007-2008. A copy of last three financial years’ relevant
audited balance sheets and profit and loss statements should be submitted with the
offer.
d) The bidder should have executed orders for ISO 27001 Certification, Audit of Data
Center totalling to Rs.25.00 Lakhs during last three financial years out of which one should
be for a commercial bank or financial institution. Necessary certificates to that effect from
the clients should be enclosed.

e) The Bidder should have minimum of six experts and certified resources with at least one
from each of the following:
• CCNA/CCNP
• CISA / CISSP
• BS 7799 LA / ISO 27001 LA
f) Team Leader must be ISO 27001:2005 Lead Auditor having experience of conducting at
least one ISO 27001:2005 audit.
g) The bidder should not be involved directly or indirectly in implementation or audit of
security and network infrastructure of Bank Of Maharashtra.

h) The Bidder should not have been blacklisted by any Government department /PSU /PSE
or banks. Self-declaration to that effect should be submitted along with the technical bid.

2.24 Earnest Money Deposit

Bidders are required to give a Demand Draft drawn in favour of Bank of Maharashtra and
payable at Pune, (valid for 180 days from the due date of the tender) for Rs.1 lac (Rupees
One lac only) as Earnest money Deposit (EMD) along with their offer. Offers made without
E.M.D. will be rejected. Bank of Maharashtra will not pay any interest on the E.M.D. The Bank
may accept Bank Guarantee in lieu of EMD for an equivalent amount issued by any Public
Sector Bank other than Bank of Maharashtra or by any scheduled commercial bank
acceptable to Bank of Maharashtra. In case of Bank Guarantee from other than Public sector
banks prior permission of Bank of Maharashtra is essential. The BG should be valid for 6
months from the date of submission of the offer. The format of BG is enclosed.

BOM- RFP- ISO 27001 Certification - 12 -

3. Terms and Conditions

3.1 Project Timeline

The bidder has to adhere to the following time lines.

Stages Particular Period

Stage 1 Completion of locational review and Within four weeks form the
current state study after placing of date of purchase order..
order.
Stage 2 Submission of ISMS Implementation Within two weeks after
Plan / procedure and methodology as completion of stage I.
per scope of work.
Stage 3 Completion of Document audit Within three weeks after the
completion of stage 2.
Stage 4 Gap analysis and implementation after Within 12 weeks from the
stage 1 audit. date of completion of stage
3.
Stage 5 Final certification (stage 2) audit Within 3 weeks from the date
of completion of stage 4.

3.2 Timeframe:

The basic objective is to enable the Bank to obtain certification within a period of six months,
from the date of purchase order. Accordingly, the consultant would carry out a
comprehensive study of the extant systems & procedures; documentation etc. in the set-up
identified for certification and should harmonize them with BS / ISO standards, culminating
in the Certification. Thereafter, post-certification surveillance audit to be carried once in year
for a period of three years, for maintenance of certification
The total Project should be completed within six months of placing of order.

3.3 Payment Terms

10% After successful completion of stage 1
30% After successful completion of stage 3
20 % After successful completion of stage 4
40 % After getting Final certification.

The above payment terms are applicable for the stages up to surveillance audit. The
payment for surveillance audit will be released on yearly basis after completion of the audit.

3.4 The final selected bidder will have to sign a contract with the Bank. The contract will
be based on the terms and conditions mentioned in the RFP.

3.5 Delays in Design, Implementation and Certification ISO 27001:2005 and

Performance Guarantee.

The final short listed firm should submit a performance guarantee valid for three year from the
date of signing the contract. The value of the guarantee will be 10% of the amount of Purchase
order.

The Consultant must strictly adhere to the project time line schedule, as specified in the
BOM- RFP- ISO 27001 Certification - 13 -
Contract, executed between the bank and the vendor, pursuant hereto, for performance of
the obligations arising out of the contract and any delay will enable the Bank to resort to any
or all of the following at sole discretion of the bank.

(a) Claiming Liquidated Damages

(b) Termination of the agreement fully or partly
In addition to the termination of the agreement, Bank of Maharashtra reserves the right to
appropriate the damages by invoking the performance guarantee.

3.6 Liquidated Damages

The liquidated damages will be an estimate of the loss or damage that the bank may
have suffered due to delay in performance of the obligations (under the terms and
conditions of the contract) by the vendor and the consultancy company / firm shall be
liable to pay the Bank as liquidated damages at the rate of 1% of the total contract value
for delay of every week or part thereof(for final certification). Without any prejudice to the
Bank's other rights under the law, the Bank shall recover the liquidate damages, if any,
accruing to the Bank, as above, from any amount payable to the vendors either as per
the Contract, executed between the Bank and the vendor pursuant hereto or under any
other Agreement/Contract, the Bank may have executed/shall be executing with the vendor.
3.7 Indemnity

The vendor shall, at their own expense, defend and indemnify the Bank against any
claims due to loss of data / damage to data arising as a consequence of any negligence
during implementation and certification process.

3.8 Publicity

Any publicity by the bidder in which the name of Bank of Maharashtra is to be used
should be done only with the explicit written permission of Bank of Maharashtra.

3.9 Force Majeure

The Consultant shall not be liable for forfeiture of its performance security, liquidated
damages or termination for default, if any to the extent that its delay in performance or
other failure to perform its obligations under the contract is the result of an event of
Force Majeure.

For purposes of this Clause, “Force Majeure” means an event explicitly beyond the
control of the Consultant and not involving the Consultant’s fault or negligence and not
foreseeable. Such events may include, Acts of God or of public enemy, acts of
Government of India in their sovereign capacity and acts of war.

If a Force Majeure situation arises, the Consultant shall promptly notify the Bank in
writing of such conditions and the cause thereof within fifteen calendar days. Unless
otherwise directed by the Bank in writing, the Consultant shall continue to perform his
obligations under the Contract as far as is reasonably practical, and shall seek all
reasonable alternative means for performance not prevented by the Force Majeure
event.

In such a case the time for performance shall be extended by a period (s) not less than
duration of such delay. If the duration of delay continues beyond a period of three
months, the Bank and the consultant shall hold consultations in an endeavor to find a
solution to the problem.
BOM- RFP- ISO 27001 Certification - 14 -
Notwithstanding the above, the decision of the Bank shall be final and binding on the
Bidder consultant.
3.10 Resolution of Disputes

Bank of Maharashtra and the bidder shall make every effort to resolve amicably, by
direct informal negotiation, any disagreement or dispute arising between them under or in
connection with the contract. If after thirty days from the commencement of such
informal negotiations, Bank of Maharashtra and the Bidder are unable to resolve
amicably a contract dispute; either party may require that the dispute be referred for
resolution by formal arbitration.

All questions, disputes or differences arising under and out of, or in connection with the
contract, shall be referred to two Arbitrators: one Arbitrator to be nominated by Bank of
Maharashtra and the other to be nominated by the Bidder. In the case of the said
Arbitrators not agreeing, then the matter will be referred to an umpire to be appointed by the
Arbitrators in writing before proceeding with the reference. The award of the Arbitrators,
and in the event of their not agreeing, the award of the Umpire appointed by them shall be
final and binding on the parties. THE ARBITRATION AND RECONCILIATION
ACT 1996 shall apply to the arbitration proceedings and the venue & jurisdiction of the
arbitration shall be at Pune.
3.11 Privacy and Security Safeguards

The successful Bidder shall not publish or disclose in any manner, without the Bank's prior
written consent, the details of any security safeguards designed, developed, or
implemented by the successful Bidder under this contract or existing at any Bank
location. The successful Bidder shall develop procedures and implementation plans to
ensure that IT resources leaving the control of the assigned user (such as being
reassigned, removed for repair, replaced, or upgraded) are cleared of all Bank data and
sensitive application software. The successful Bidder shall also ensure that all
subcontractors who are involved in providing such security safeguards or part of it shall not
publish or disclose in any manner, without the Bank's prior written consent, the details
of any security safeguards designed, developed, or implemented by the successful
Bidder under this contract or existing at any Bank location.
3.12 Confidentiality

This document contains information confidential and proprietary to BANK OF

MAHARASHTRA. Additionally, the Bidder consultant will be exposed by virtue of the
contracted activities to internal business information of BANK OF MAHARASHTRA,
affiliates, and/or business partners. Disclosure of receipt of any part of the
aforementioned information to parties not directly involved in providing the services
requested could result in the disqualification of the Bidder consultant, pre-mature
termination of the contract, or legal action against the Bidder consultant for breach of
trust. The information provided / which will be provided is solely for the purpose of
undertaking the consultancy services effectively.
No news release, public announcement, or any other reference to this RFP or any
program there under shall be made without written consent of BANK OF
MAHARASHTRA. Reproduction of this RFP, by photographic, electronic, or other
means is strictly prohibited.
ANNEXURE 1: FORMAT OF TENDER OFFER COVER LETTER

Date: ____________________________________2008

BOM- RFP- ISO 27001 Certification - 15 -

Tender Reference No. 062008

To:
Having examined the tender documents including all annexure the receipt of which is
hereby duly acknowledged, we, the undersigned, offer to provide consultancy to perform
design, implementation, of ISO 27001 certification for Data Center, Disaster recovery
site and critical locations as mentioned in scope of work in conformity with the said
tender documents in accordance with the Commercial bid and made part of this tender.

We understand that the RFP provides generic specifications about all the items and it has
not been prepared by keeping in view any specific bidder.

If our tender offer is accepted, we will obtain the guarantee of a bank for a sum equal to 10%
of the Contract Price for the due performance of the Contract.

We agree to abide by this tender offer till 180 days from the date of tender opening and our
offer shall remain binding upon us and may be accepted by the Bank any time before
the expiration of that period.

Until a formal contract is prepared and executed, this tender offer, together with the
Bank’s written acceptance thereof and the Bank’s notification of award, shall constitute a
binding contract between us.

We understand that the Bank is not bound to accept the lowest or any offer the Bank may
receive.

Dated this __________________day of __________2008

Signature: __________________________________

(In the Capacity of :) ________________________________

duly authorized to sign the tender offer for and on behalf of

BOM- RFP- ISO 27001 Certification - 16 -

ANNEXURE 2: BIDDER’S INFORMATION

Particulars Details to be furnished Enclosures to be

for the Particulars submitted
Name of the IS Audit Company

Address of Registered Office

Address of Communication at Pune

Date of inception of IS Audit

services
Presence and locations of Offices
in India
Details of Services provided by the Please attach a separate
Company sheet, if required
Number of CISA qualified Please enclose list of
personnel names, with their Bio Data
Number of CCNA qualified Please enclose list of
personnel names, with their Bio Data
Number of CISSP qualified Please enclose list of
personnel names, with their Bio Data
Number of BS 7799/ISO 27001 Please enclose list of
lead auditors names, with their Bio Data
Number of Network Security Audit Details of the credentials.
assignments completed for Banking
and Financial Sector in India
Number of Clients for whom Please enclose list of
ISO 27001/BS7799 Certification names and Letters from
obtained by the IS Consultant Co. such organizations
supporting the same.
Experience in conducting IS audit Details of credentials.
and IT Security audit for Banks (giving scope of work for
and/or Financial sector each assignment) with
letters from the respective
organizations supporting
the same
Whether the IS Audit company is If Yes, furnish address of
having dedicated ethical hacking the lab and profile of the
lab dedicated security
professionals involved in
ethical hacking

BOM- RFP- ISO 27001 Certification - 17 -

 Annexure 2 contd.

Experience of working on similar Furnish credentials with

projects in Public Sector details of work done.
Undertakings and government
Departments
Number of persons who are Resume of the persons in
proposed to be associated for the format enclosed as CV
executing the assignment with format to this document
name of the Team Leader
Whether the IS Audit Company has Names of the institutions
formulated Information System with reference and details of
Security Policy (ISSP) and Disaster type of environment
Recovery Plan (DRP) for any covered by ISSP and DRP
Banking or Financial institution

We confirm that all the details mentioned as required above and the
documents/enclosures submitted in support of the same are true and correct and if
the Bank observes any misrepresentation of facts on any matter at any stage of
evaluation, the Bank has right of rejecting the Bid.

We have understood the scope of work and undertake to execute the assignment as per the
requirement of RFP.

Dated this ....... day of ............................ 2008

_________________________________ ________________________________
(Signature) (In the capacity of)

Duly authorized to sign Proposal for and on behalf of _________________________

BOM- RFP- ISO 27001 Certification - 18 -

ANNEXURE 3: PROFORMA FOR THE BANK GUARANTEE FOR EARNEST MONEY
DEPOSIT (EMD).

Guarantee for Payment of Earnest Money/Security Deposit

Bank Guarantee no.:

Date
Period of Bank Guarantee: Valid up to
Amount of Bank Guarantee: Rs.

To,
Bank of Maharashtra,
IT Department,
1501, Lokmangal,
Shivajinagar, Pune 411005.

THIS DEED OF GUARANTEE made at …….. this ………..day of ………….. between

Bank of ……………………… a banking company having its office at hereinafter referred
to as ‘the Bank’ of the One Part and Bank of Maharashtra a New Bank constituted
under the Banking Companies (Acquisition & Transfer of Undertakings) Act, 1970
having its Head Office at ‘Lokmangal’ , 1501 Shivajinagar, Pune 411 005, hereinafter
called the Beneficiary, of the other Part.

a) Whereas the Beneficiary had invited tenders for Consultancy for ISO 27001 certification
vide tender No 062008 dated 24/10/2008.
b) One of the terms of the tender is that bidder are required to give a Demand Draft drawn in
favour of beneficiary and payable at Pune, (valid for 180 days from the due date of the
tender) for Rs 1 lac (Rs. One lac only) as Earnest Money Deposit (EMD) along with their
offer. The Beneficiary may accept Bank Guarantee in lieu of EMD for an equivalent amount
issued by any Public Sector Bank, valid for 6 months from the date of issue.
c) M/s …………………... hereinafter referred to as the said Contractors’ have given their
offer for ISO 27001 certification of Data Center, Disaster recovery site, Project Management
Office and Central Office- IT deptt to the Beneficiary and the said Contractors are
required to deposit the said amount of earnest money (or security deposit) or to furnish bank
guarantee.
d) At the request of the said M/s.…………………. the Bank has agreed to furnish
guarantee for payment of the said amount of earnest money (or security deposit) in the
manner hereinafter appearing:

NOW THIS DEED WITNESSETH that pursuant to the said tender and in
consideration of the premises the Bank doth hereby guarantee to and covenant with the
Beneficiary that the Bank shall, whenever called upon by the Beneficiary in writing and
without demur and notwithstanding any objection raised by the said Contractor/s, pay to the
Beneficiary the said amount of Rs.1 lakh (Rupees One lakh only) payable by the said
Contractor/s under the said Contract.

AND IT IS AGREED and declared by the bank that the liability of the Bank to pay
the said amount whenever called upon by the Beneficiary shall be irrevocable
and absolute and the Bank will not be entitled to dispute or inquire into whether
the Beneficiary has become entitled to forfeit the said amount as earnest money
(or as security deposit) under the terms of the said contract or not and entitled to
claim the same or not or whether the said contractors have committed any
BOM- RFP- ISO 27001 Certification - 19 -
breach of the said contract or not or whether the Beneficiary is entitled to recover
any damages from the said contractors for breach of terms thereof or not.

Any such demand made by the Beneficiary shall be binding and conclusive as regards
amount due and payable by the Contractor to the Beneficiary. And the Bank undertakes to
pay unconditionally on written demand without demur and the claim of beneficiary shall
be conclusive and binding as to the amount specified therein.

AND it is further agreed and declared by the Bank that any waiver of any breach of any
term of the said contract or any act of forbearance on the part of the Beneficiary or any
time given by the Beneficiary to the contractors for carrying out and completing the work
under the said contract or any modifications made in the terms and conditions of the said
contract or any other act or omission on the part of the Beneficiary which could have in law
the effect of discharging a surety, will not discharge the Bank.

AND it is agreed and declared that this guarantee will remain in force until the
time fixed in the said contract for completion of the said work or until the
expiration of any extended time for such completion and shall be valid for a
period of six months from the date hereof i.e. the guarantee shall be valid up to
……

AND it is agreed and declared that this Guarantee will be irrevocable and enforceable
even if the contractor’s company goes into liquidation or there is any change in the
constitution of the said Company or management of the said Company and shall ensure
to the benefit of its successors and assigns and shall be binding on the successors and
assigns of the Bank.

Not withstanding anything contained herein:

c) The liability of the Bank under this Bank Guarantee shall not exceed
Rs.________ ________. (Rupees _______________).
d) This Bank Guarantee shall be valid up to _____________________.
e) Bank is liable to pay guaranteed amount or part thereof under this Bank
Guarantee only and only if beneficiary serve upon as a written claim or demand on or before
______________ (date of expiry of the Guarantee).
IN WITNESS WHEREOF the Bank has put is seal the day and year first
hereinabove written.

Signed, sealed and delivered by Mr…………

For and on behalf of the Guarantor to do so and
to affix the seal of the Bank, in the presence of ……….

BOM- RFP- ISO 27001 Certification - 20 -

ANNEXURE-4: SCOPE OF WORK

The Consultant/Vendor shall establish, implement, operate, monitor, review, maintain and
improve documented Information System Management System (ISMS) for ISO 27001:2005
certification for the following locations.

Central Office IT Department (Pune): The nodal department which plans, monitors and
executes all IT projects of the bank.

Project Management Office (Pune): It is Bank’s Project Management and control office
from where the entire CBS project is implemented, managed and controlled.

Data Centre (Pune): Bank has a level III Data Center where the entire infrastructure for
core banking solutions have been installed and supporting 700 core banking branches
spread across all over India. The Data Centre also hosts NOC for management of all
branches / offices of the Bank.

Disaster Recovery Centre (Hyderabad): Bank’s DR Centre is Co hosted with Tata

Consultancy Services Ltd (TCS Ltd) in Hyderabad where we take care of Business
continuity management..

Brief about the Applications, Infrastructure & Network required to be covered under
the proposed assignment:-

I Applications covered would include:

• Core Banking Solution (BANCS24 Core comprising of Deposits, Retail and
Corporate Loans, Remittances, General Ledger Accounting, etc.)
• Trade Finance Solution (EximBills, e-Treasury) covering Forex management,
Treasury operations for both domestic/ international.
• Government Business Module (with on-line remittance and information
transmitting facilities for Tax collection, EDI, CBEC, modules for Pension, PPF,
RBI Relief bonds, tax collection )
• Retail Loan Origination System (e-Credit)
• Internet and Tele Banking Solution (e-banksworks)
• Mobile / SMS banking solution
• Enterprise Management System ( CA Unicenter)
• Help Desk module of CA Unicenter
• Interfaces developed for functionality like ATM, RTGS, SFMS, SWIFT, ECS
/EFT, EDI (Interface with Customs), OLTAS, Treasury and ALM, Credit
Monitoring System (CREAM), Credit Risk Rating System, Intranet, HR system.

II. Brief about the Core Banking Solution Platform

Core Banking Solution is supplied by Tata Consultancy Services Ltd. It covers

Deposits, Advances, Remittances, and Trade Finance, Accounting modules,
Internet, SMS banking modules, Tele Banking module, Government Business
Module. Enterprise Management System is CA Unicenter.

Core Banking Solution, Application and Database are ported on IBM AIX 5.3
Operating System and IBM P5 series. The Database used is Oracle 9i.

The Data Centre is set up at Pune. The Disaster Recovery Servers is co-located at
TCS, Hyderabad.

III. Brief about the Network Architecture

The Bank’s Network is dedicated point-to-point leased line network as
primary links with ISDN links backup for all the branches covered under Core
Banking Solution Project.
BOM- RFP- ISO 27001 Certification - 21 -
 a. Level I – Core: The core of the network consists of a DC and DRC linked
together. DC and DRC have links to the HO, PMO, Network Aggregation
Points (NAP’s) and the external networks

b. Level II – Distribution: The distribution network forms part of the Bank’s wide
area network connecting the NAP’s to DC and DRC using dedicated links.
There is a network component redundancy at NAP.

c. Level III – Access: In the access network, all the branches are connected to
the nearest designated NAP.

The consultant/vendor is also expected to co ordinate the surveillance audit after getting the
certification. The quote for this job has to be given in the commercial bid. For arriving at TCO
the cost of surveillance audit for year one and year two will be considered.

The following activities and processes have to be identified by the Consultant Company /
Firm according to the standard ISO 27001:2005 in the above mentioned Locations.

• Establish ISMS policy, objectives, processes and systems and procedures relevant
to managing risk and improving information security to deliver results in accordance
with the organization’s overall policies and objectives.

• Implement and operate the ISMS policy, controls, processes and systems and
procedures.

• Assess and where applicable, measure process performance against ISMS policy,
objectives and practical experience and prepare the relevant report for review.

• Prepare the internal ISMS audit team from the bank and impart necessary trainings
for conducting the internal ISMS audit.

• Take corrective and preventive actions, based on the results of the internal ISMS
audit and management review or other relevant information to achieve continual
improvement of the ISMS

• Define the scope and boundaries of the ISMS in terms of its location, assets and
technology

• Define the risk assessment approach of the Locations

• Develop criteria for accepting risks and identify the acceptable levels of risk

• Identify the impacts that losses of confidentiality, integrity and availability may have
on the assets and locations.

• Analyze and evaluate the risks

• Identify and evaluate options for the treatment of risks

• Select control objectives and controls for the treatment of risks.

• Prepare a Statement of Applicability

• Prepare a statement of exclusion of any control objectives and controls in SOA with
the justification for their exclusion.

BOM- RFP- ISO 27001 Certification - 22 -

 • Review of controls and control objectives already implemented and recommending
for addition/ modification required in the existing controls implemented.

• Co-ordianate with bank in completing documentation, procedures required by ISO

27001

• Co-ordinante with bank and Certification bodies during Pre Audit and certification
audit

• Assist Bank during surveillance audits

• Any other guidance and help which may be required by bank ISO 27001:2005
certification.

• The consultant has to submit weekly progress report during the project.

The bank will give full cooperation for timely access to resources, facilities, documents and
coordination with various external agencies such as software vendors, network providers etc
so that the work can be performed in a smooth manner by the consultant. The bank expects
that consultant will perform work in a mutually respectful and professional manner.

All following 11 domains must be taken for ISMS

9 Security policy

9 Organization of Information security

9 Asset management

9 Human Resources security

9 Physical and environmental security

9 Communications and operations management

9 Access control

9 Information systems acquisition, development and maintenance

9 Information security incident management

9 Business continuity management

9 Compliance

BOM- RFP- ISO 27001 Certification - 23 -

ANNEXURE 5: COMMERCIAL BID

The Commercial Bid should contain the Total project cost, on a fixed cost basis
excluding service taxes. Bank of Maharashtra will not provide any
reimbursement for travelling, lodging/boarding, local conveyance or any
other related expenses..

The format for the commercial bid is given below

SL Deliverables (broad) Amount in Rs.

(Inclusive of all
No
Taxes) **
1.
A Data Centre
B Disaster Recovery Site
C CBS Project Management Office
D Central Office-IT Deptt
E Any other expenses please specify
Total ( A+B+C+D+E)
2
A Post Certification Surveillance audit for 1st year
B Post Certification Surveillance audit for 2nd year
Total (A + B)

Total ( 1 +2 )
(Mention total amounts in figure and words also.)
(** Fixed sum inclusive of all taxes, duties, travelling, lodging, boarding expenses and
any other out of pocket expenses but excluding Service tax)
Note: -

The Bank reserves the right to avail the services of the consultant firm for more surveillance
audit work, up to a period of three years, as per the Bank’s requirement after the completion
of two surveillance audit, at the same price.

For Post-certification surveillance / maintenance for three years:

Payment will be released on yearly basis for subsequent post-certification surveillance audit
for maintenance of Certification. IS Consultant selected for the assignment will have to abide
by the above payment terms. Bank reserves the right to reject the Bids/responses to the
RFP seeking deviation from the above payment terms.

BOM- RFP- ISO 27001 Certification - 24 -

ANNEXURE 6: FORMAT OF CURRICULUM VIATE (CV)
(Separate sheets for each person)

Position:

Name of Firm:

Name of Personnel:

Profession:

Date of Birth:

Years with Firm:

Nationality:

Membership of Professional Societies:

Detailed Tasks Assigned :( past 5years)

(Giving an outline of person's experience and training most pertinent to task on assignment.
Describe degree of responsibility held by the person on relevant previous assignments and
give dates and locations)

Employment Record:
(Starting with present position, list in reverse order)

Qualifications: Technical and Academic with year of passing

BOM- RFP- ISO 27001 Certification - 25 -

 ANNEXURE 7: CHECKLIST OF DOCUMENTS TO BE SUBMITTED

¤ Eligibility Criteria
¤ Technical Bid
¤ Commercial Bid
¤ Security Deposit / EMD BG
¤ Masked Commercial Bid
¤ Format of CV for the professionals to be involved in the entire ISO 27001
certification process.

BOM- RFP- ISO 27001 Certification - 26 -