Central Audit & Inspection Department
REQUEST FOR PROPOSAL (RFP) For CONDUCTING INFORMATION SYSTEM AUDIT OF IT SYSTEMS AND PROCESSES
Central Audit & Inspection Dept. Union Bank of India, Earnest House, 7th floor, NCPA Marg, Nariman Point, Mumbai 400021 Contact Tel: 022-22802602
Activity 1. Release of RFP
Details 06/07/2017 at 11.00 Hours
2. Bid Price
Rs. 5000/- by way of Demand Draft Drawn on any nationalized Bank, payable in favour of Union Bank Of India, payable at Mumbai
Address for Receipt/submission 3. of Bid
The Dy. General Manager, Central Audit and Inspection Department, Earnest House, 7th Floor, NCPA Marg, Nariman Point, MUMBAI - 400021. BIDS AS PER RFP TERMS TO BE SUBMITTED IN 2 DIFFERENT SEALED ENVELOPES MARKED: “TECHNICAL BID FOR CONDUCTING IS AUDIT OF IT SYSTEMS AND PROCESSES FOR UNION BANK OF INDIA”
4. BID SUBMISSION Last date & time for 5. Submission
6. BID SECURITY
7. BID OPENING DATE Methodology of commercial selection 8. of bidder
“COMMERCIAL BID FOR CONDUCTING IS AUDIT OF IT SYSTEMS AND PROCESSES FOR UNION BANK OF INDIA”. 26/07/2017 at 16.00 Hours BID SECURITY IN THE FORM OF: Account payee Demand Draft (DD) for Rs.1,00,000/- (Rupees One Lac) only as Earnest Money Deposit (EMD), payable at Mumbai in favour of Union Bank of India. Issued by a Scheduled Bank, which would carry no interest. OR with an equivalent amount of Bank Guarantee (BG) issued by a Scheduled Bank valid for 180 days from the date of opening of the Tender as per format given in the Formats Section. 26/07/2017 , AT 16:30 hrs at the CONFERENCE ROOM , Central Audit and Inspection Department, Earnest House, 7th Floor, NCPA Marg, Nariman Point, MUMBAI – 400021
Lowest Bidder (L-1) Method
2|Page
TABLE OF CONTENTS 1. 1.1. 1.2. 2. 2.1. 2.2. 2.3. 3. 3.1. 4. 4.1. 5. 6. 6.1. 6.2. 6.3. 6.4. 6.5. 6.6. 6.7. 6.8. 6.9. 6.10. 6.11. 6.12. 6.13. 6.14. 6.15. 6.16. 6.17. 6.18. 6.19. 6.20. 6.21. 6.22. 7. 1. 2. 3. 4. 5. 6. 7. 8.
SECTION I: INTRODUCTION ABOUT THE BANK PURPOSE OF RFP: SECTION II: ELIGIBILITY CRITERIA THE SERVICE PROVIDER SHOULD THE SERVICE PROVIDER SHOULD NOT SUPPORTING DOCUMENTS TO BE SUBMITTED: SECTION III: SYSTEMS DESCRIPTION DIFFERENT INFORMATION SYSTEMS SECTION IV : SCOPE OF WORK SCOPE OF WORK RELATED TO IS (INFORMATION SYSTEMS) AUDIT: SECTION V : TERMS OF EXECUTION OF WORK: SECTION VI: TERMS AND CONDITIONS: BID PRICE: BID SECURITY: CLARIFICATIONS ON THE RFP TWO PART OFFER: NO ERASURES OR ALTERATIONS: VALIDITY : TECHNICAL PROPOSAL: COMMERCIAL PROPOSAL: PRICE COMPOSITION: PAYMENT OF OTHER EXPENSES: EVALUATION PROCEDURE: RIGHT TO ALTER QUANTITIES NO COMMITMENT TO ACCEPT LOWEST OR ANY TENDER ROTATION OF AUDIT TEAM PRICE FREEZING AND CONTRACT PERIOD PAYMENT TERMS CANCELLATION OF THE ASSIGNMENT LIQUIDATED DAMAGES RFP OWNERSHIP PROPOSAL OWNERSHIP CONFIDENTIALITY DISCLAIMER SECTION VII: RFP RESPONSE FORMATS FORMAT – I: LETTER TO THE BANK ON THE SERVICE PROVIDER‟S LETTERHEAD FORMAT – II: SERVICE PROVIDER PROFILE FORMAT – III: CV OF PROFESSIONAL PERSONNEL FORMAT – IV(A): REFERENCES OF IS AUDITS DONE FOR BANKS. FORMAT –IV (B): REFERENCES OF CORE BANKING APPLICATION AUDITS DONE. FORMAT – V: PROPOSED METHODOLOGY & WORK PLAN FORMAT – VI: COMMERCIAL OFFER FORMAT – VII: UNPRICED COMMERCIAL OFFER
5 5 5 5 5 6 6 7 7 12 12 17 18 18 18 18 19 20 20 20 21 22 22 22 23 23 23 23 24 24 24 25 25 25 25 26 27 28 29 30 31 32 33 34
3|Page
9. 10. 11.
FORMAT –VIII: FORMAT FOR BANK GUARANTEE FORMAT–IX: FORMAT OF INTEGRITY PACT FORMAT-X: KNOW YOUR EMPLOYEE ANNEXURE ANNEXURE-I ANNEXURE-II
35 36 43 44 49
4|Page
1. Section I: Introduction 1.1. About the Bank Union Bank of India, (the BANK) is a leading Nationalized Bank having its Central Office at Mumbai, operations across India and International presence in Hongkong, Sydney, Belgium, Dubai, UK and other locations. The Bank caters to its customers from all fields, through its 4282+ branches, 7000+ ATMs and various delivery channels. It has implemented Core Banking Solution (CBS) with Primary Data centre and Near Site at Mumbai and DR site at Bengaluru. All the branches are connected to the Data Centre, through a Wide Area Network by leased lines / ISDN Lines / VSATs / GPRS. 1.2. Purpose of RFP: This RFP seeks to engage a Service Provider who has the capability and experience for Conducting Information Systems (IS) Audit including Application audit of Core Banking Solution, other applications and to make appropriate recommendations, as covered under the Scope of Work. Carrying out risk analysis of all IT assets of the Bank and preparation of Risk Matrix based on Guidelines issued by RBI and Govt. of India. The aim of the RFP is to solicit proposals from qualified bidders for undertaking above detailed assignments. Interested eligible bidders may download the RFP from Union Bank of India website www.unionbankofindia.co.in/tender.aspx or from Govt. of India web site www.tenders.gov.in.
2. Section II: Eligibility Criteria Only those bidders who fulfill the following criteria are eligible to respond the RFP. Offers received from the service providers who do not fulfill all or any of the following eligibility criteria are liable to be rejected. 2.1.
The service provider should
i.
be a current legal entity (Company /Firm /Organization/ independent subsidiary) in India.
ii.
be in business of Information System auditing in India at least for last three years.
iii.
be having an average annual turnover of Rs.5 (Five) crores or more for each of the last three financial years (2014-15, 2015-16, 2016-17).
iv.
be in net profit in at least two years out of last three financial years.
v.
have conducted two Information System audits of data centers and other IT Infrastructure of two banks in India (including all the following aspects), 5|Page
connected with a minimum 1000 branches, in any of the past (2014-15, 2015-16, 2016-17):
three years
a) Vulnerability assessment of servers/security equipment/ network equipment; b) External attack and penetration test of equipments exposed to outside world through internet; c) Application audit of Core Banking Solution in at least one Bank with a minimum 1000 branches; vi.
have minimum 5 professionals with CISA/ CISM/ CISSP or similar qualifications and should be on permanent roll of the organization.
vii.
deploy auditing team having “auditing experience” of minimum 3 years, after the date of related qualification including at least one CISA throughout the audit period. (Undertaking by bidder)
viii.
have a valid CERT-In empanelment as on the last date of submission of tender.
2.2.
The service provider should not
i.
be a vendor for Software and/or Hardware of the Bank at Primary Data Centre, Treasury and/or their respective DR Sites.
ii.
be involved in implementing or managing Security and network infrastructure of the Bank at Primary Data Centre, Treasury and/or their respective DR Sites. (If involved in any specific activity which does not affect auditor‟s independence for current audit assignment may be considered at the discretion of the Bank).
iii.
have been blacklisted, as on the date of tender submission, by any nationalised Bank / RBI /IBA or any other Central / State Government department / agency.
Note: The service provider must comply with all the above mentioned criteria. Noncompliance of any of the criteria will entail rejection of the offer summarily. Photocopies of relevant documents/certificates should be submitted as proof in support of the claims made. The Bank reserves the right to verify/evaluate the claims made by the vendor independently. 2.3.
Supporting documents to be submitted:
i. Copies of certificates of Registration, Incorporation and commencement of business, etc., as the case may be. ii. Copies of the audited and published Financial reports for the past three financial years (2014-15, 2015-16, 2016-17).
6|Page
iii. Letters from the organizations for which the service provider had conducted Information Systems audit during past three years (the scope of the assignment should have been clearly mentioned). iv. Letters from the organizations for which the service provider had conducted Core Banking Application Audit during past three years (the scope of the assignment should have been clearly mentioned). v. Copies of the CVs of the Information Systems Audit professionals (CISA, CISM, CISSP etc.,) including copies of their relevant certifications as per the prescribed format. vi. Self-declaration and certification to confirm compliance of “should nots.” vii. Cert-in empanelment document viii.
Any undertaking as mentioned in RFP
3. Section III: Systems Description 3.1. Different information systems The Bank has different information systems, which are bifurcated into three broad categories, as follows: i. Core Banking related Systems:
Bank has implemented a Centralized Core Banking Solution (CBS) Finacle version 7.0.25 from Infosys.
Bank has set up an Enterprise Wide Network covering all its 4282+ branches and offices spread across the country. The modes of connectivity to the branches/offices are a combination of MPLS, leased lines, ISDN Lines, VSATs, GPRS and other forms of connectivity.
The Data centre houses multiple servers which connect to the enterprise wide network, hold the critical Core Banking application and database of financial and non-financial information pertaining to customers of the Bank.
Along with CBS, Bank has also set up electronic delivery channels such as ATM, Internet Banking, Mobile banking, SMS alerts etc., for providing customer service. All types of electronic delivery channel Systems are seamlessly integrated with the Core Banking systems, observing IT security norms.
Bank has 7000+ ATMs. All the ATMs of the Bank are connected to Bank‟s ATM Switch, which in turn is integrated with Core Banking Systems. Bank‟s ATM switch is connected to NFS switch for ensuring ATM sharing arrangements with other banks. All the ATMs of the Bank accept VISA / Master cards / 7|Page
Rupay. All the debit cards of the Bank are VISA / Master and Rupay enabled. Bank is also issuing RUPAY enabled cards.
Internet Banking System has separate servers for connecting to the web, housing the application and database and also connecting to the Core Banking Solution.
Bank, is in tie-up with CDSL, providing depository services to its customers. Branches open DEMAT accounts for their customers. The server is interfaced with Internet Banking system, so that the customer can view and do online trading in their DEMAT account through Internet banking
As a part of providing Value added services, Bank has tied up with some broking companies – where by the customers can do online trading of their shares – and also with many other service providers to facilitate online utility bill payment, tax payments, e-commerce etc.
Bank has set up its Call centres to provide customer service both through Inter-active Voice Response System (IVRS) and Customer service executives. The Call centre‟s application is also interfaced with Core Banking Solution.
In order to provide SMS Banking to the customers, Bank has set up a few servers and interfaced them with the Core Banking Solution. Similarly Bank has implemented Mobile Banking Facility.
In order to secure its Information assets, the Bank has drawn and implemented its IT Security Setup, consisting of multiple layered firewalls, Network based and Host based intruder detection systems, Network Intrusion Prevention System, two factor authentication systems, anti-virus systems, Patch Management system, Network Access Control systems etc. Bank has also created VLANs, militarized and de-militarized zones in the process.
Bank has outsourced monitoring of the datacenter, network, IT security, ATMs and ATM switch and the respective service providers monitor the respective systems using different tools.
Bank has introduced Biometric System at all its branches and offices for Finacle (Core Banking System) User Authentication.
ii. Important Systems housed in Data Centre:
Bank presently has four overseas branches at Hong Kong, Sydney, Antwerp (Belgium) and Dubai, which are also under CBS. Bank has implemented CBS for Union Bank of India (UK a Subsidiary). The data centre houses the Servers relating to Overseas branches.
Bank has implemented MIS package for generation of various reports. 8|Page
LAS (Lending Automation System) for Credit Processing & Monitoring are also implemented.
Bank hosted its own intranet website – which is accessed by all the staff working at different branches and offices for various information hosted in the web site.
E-remit is another such web based system, which helps the branches/customers in providing easy fund remittance facilities from overseas locations.
Bank established a separate system for providing “Cash Management Services” to the customers.
Bank has implemented an Enterprise Application Integration system (middleware) to seamlessly integrate Core Banking system with other applications like PFMS, Union Parivar, SWIFT, Treasury package etc. DR site for EAI is also operational at Bangalore.
Bank has implemented Document Management System. All offices /branches of the Bank can access the server to store/retrieve documents.
Bank has implemented Unified Communication System for web conferencing between different offices/branches.
Bank has implemented Digital Media Signage for centralized digital display of bank‟s product information /marquee.
Public Fund Management System for various Ministries.
Matched Fund Transfer Pricing (MFTP): Bank has purchased three modules of Oracle Financial Services Analytical Application (OFSAA) viz. Fund Transfer Pricing, Profitability Management and Asset Liability Management. The MFTP module enables scientific transfer pricing of internal movement of funds and the Profitability Management module would enable computation of profitability under various dimensions after cost / income allocation. This would facilitate performance evaluation of business units.
Financial Inclusion (FI) Gateway Systems.
Bank is in the advanced stages of establishing its own Data warehouse.
Bank has Implemented Operational Customer Relationship Management solution (oCRM) Siebel from Oracle.
Bank uses „Oracle GL‟ software in Central Accounts department, for consolidation of Bank‟s Balance sheet and other statements every quarterly and also for preparation/generation of related reports there from. 9|Page
Bank has a corporate email setup based on IBM Lotus Notes Solution including mobile component i.e. Lotus traveler
Bank has implemented PeopleSoft HRM package known as Union Parivar.
Bank has Campaign Management and Lead Management system process under Project Utkarsh.
iii. Systems housed outside Data Centre:
Bank has computerized integrated treasury system. It has DR set up at Ernakulam. The Treasury system is integrated with systems such as Reuters, Bloomberg, Payment system Gateway and also SWIFT.
Bank has established a Payment Systems Gateway and connected it to RBI through INFINET. Bank uses many applications such as PDONDS, CFTS, CFMS, SFMS, RTGS, NEFT, etc., through the Payment Gateway System.
Bank uses SWIFT system for securely communicating the financial and nonfinancial messages with its counterparts internationally.
Bank established a web based system for distribution of the clearing and ECS data to the member banks.
Bank has established a system for implementing the Image based Cheque Truncation system at Delhi, Chennai and Mumbai.
Bank also has its own Internet web site. i.e. Corporate Website.
iv. Outsourced Activities (Other than those mentioned in above paras) :
Bank has a Credit Card system, which is outsourced to M/s Atos Worldline for providing end to end services. The services mainly include issuance & maintenance of cards, maintaining credit card host for controlling transactions, providing VAP and MIP connectivity and complying with the VISA and Master mandates, PIN Security, Billing and reconciliation thereof, providing interfaces with Bank for facilitating interaction through Bank‟s Call centre and also for facilitating withdrawal of Cash through ATMs.
Bank has outsourced the job of issuance, maintenance and dispatch of debit cards and prepaid cards, Issuance of Pin etc. to M/s FIS. While provision of end to end services is outsourced in respect of prepaid cards, the activities outsourced as regards debit cards are card issuance & maintenance, providing VAP/MIP interface and PIN security.
Bank outsourced Reconciliation of settlements with NPCI, VISA, Master and other networks arising out of ATM/POS/Internet transactions to M/s In solutions Global (ISG). The ISG use their systems, upload the data from the 10 | P a g e
Bank/Networks, reconcile the data and provide all the reports as per requirements.
Bank has deployed Point Of Sale (POS) terminals. Providing end-to-end services relating to POS is outsourced to M/s Atom Technologies. They use their own systems and provide end-to-end services to the Bank which includes Switching, connectivity to VISA/MASTER/NPCI, Transaction Processing, Monitoring, Risk & Dispute Management, Reconciliation, Merchant Payment Reports, Merchant Management Module, Helpdesk etc.
Bank has outsourced Card Payment Gateway Services which includes switching, Connectivity to VISA/MASTER/NPCI, transaction processing reconciliation, Merchant Payment Reports, Merchant Management Module etc. to M/s FSS Services. Bank has also outsourced to them maintaining and managing through their own system Access Control Server services for additional authentication for Debit / Credit Card online transactions as mandated by RBI/VISA/MASTER/NPCI.
Bank has outsourced Mobile Banking Services, Application and systems to M/s FSS for Mobile Banking Transactions and IMPS transactions.
Bank has deployed ATMs under fully outsourced model to M/s FIS, FSS and other Service Providers which are connected to our Network and ATM switch.
Bank is utilizing systems of M/s Loyalty Rewardz for maintaining and managing Reward Point calculation for our Debit and Credit Card transactions carried out at POS/Internet.
Bank has outsourced 24X7 Call Centre at Jamshedpur and Bengaluru to M/s Aegis for which the service provider uses their own systems.
Bank has outsourced the ATM managed services for the ATMs include the following activities and cash replenishment services for selected off-site ATMs. 24x7 Monitoring of ATMs EJ Pulling & Software Distribution Incident Management & Helpdesk House Keeping Services Digital Video Surveillance System Web Browser to know the status of Monitoring ATM Transactions Alarm Systems Monitoring Pulling DVSS Image from ATMs First Line Maintenance Support Staff at Regional Offices Consumables Replenishment Cash Forecasting & Management
The Bank has also outsourced its IRCTC Prepaid Cards, and Notes acceptor / Cheque deposit machines.
11 | P a g e
4. Section IV : Scope of Work 4.1. Scope of Work Related to IS (Information Systems) Audit: i. The Scope of work mainly relates to conducting of Information System and Security Audit including Cyber Security Audit of different Information systems/applications/ Databases / Operating Systems / Security devices , appliances and Solutions / Network Equipments/ Information Technology (IT) Process like sharing information through web services, host to host etc. in use by the Bank, as listed in Annexure-I, including those systems used by other agencies for providing services in respect of activities which are outsourced. The scope also includes the VAPT of all systems as listed in Annexure-I and Annexure-II. The IS Audit should be conducted as per the guidelines given by RBI, Govt. of India, NPCI, UIDAI and Union Bank IT security Policies & Procedures and Union Bank Cyber Security Policy. IS Audit of each of the systems should broadly cover the following aspects:
− Physical and Environmental controls − Logical access Controls − Operating System/database review including Vulnerability Assessment Application Review Business process Review Network and Security Review including VA and Penetration test Backup procedure Review Business Continuity/Disaster Recovery plans/practices Review of Outsourced Activities Virus protection and Patch management. Capacity utilization of servers and applications Review of Basic minimum Configuration applicable for each system as per best practice i.e. Baseline Secure Configuration review. − Application Security Life Cycle (ASLC) review. − Secure Code Practice Review.
− − − − − − − − −
ii. Vulnerability Assessment and Penetration Tests (VAPT) The scope also includes conducting Vulnerability Assessment and Penetration Tests (VAPT) covering operating systems, database, networking and Security Infrastructure and various on-line applications facing customers as listed in Annexure-I and all other assets listed in Annexure-II. iii. Application Audit The scope further includes Application Audit of the Applications used by the Bank. Some critical applications are named here below:
12 | P a g e
Core Banking Application – “FINACLE” of Infosys Ltd inclusive of modules including NPA Management system (as IRCA norms), Government Business Module (GBM), etc. Core Banking Application – “FINACLE” of Infosys Ltd for Overseas branches and UK subsidiary of Bank. Application Audit for Internet Banking for Domestic and overseas branches. Treasury Application from M/s Infosys (Replaced existing KASTLE system), being used at our Treasury branch. Application purchased from CMC (TCS) for our Demat operations. LAS (Lending Automation Solution) MIS (Management Information System) PeopleSoft HRM Solution MFTP (Matched Fund Transfer Pricing) SWIFT ATM Switch Document Management System (Account Opening Process) Enterprise Application Integrator (EAI) Oracle GL Centralised FI gateway Application including E-KYC, DemoAuth, APBS, etc. E-Remit GSTN System
iv. POS/Mobile Application Security Audit Mobile Application Security Audit of DIGI Purse App, M passbook App, UControl App , UPI App, Aadhar Pay App and Umobile App, Tabulous Banking App for Tablet etc. 5 FI Applications ported on MicroATMs as per UIDAI Standard POS Applications for Credit Card/Debit Card The audit of Applications will be with reference to:
Auditing Application Architecture with respect to the bank‟s business/operational requirements, adherence to bank‟s IT Security Policy, Cyber Security Policy, Industry best practices etc. Study CBS and other applications for adequacy of Input, Processing and Output controls and conduct various tests to verify existence and effectiveness of controls. Review / audit the presence of adequate security features in CBS application to meet the standards of confidentiality, reliability, availability and integrity required for the application supporting business processes. Logical access control, User maintenance and password policies being followed. Authorization mechanism and control such as concept of maker checker, exceptions, overriding exceptions and error conditions. Controls over automated processing / updating of records, review or check of critical calculations such as interest rates, levying of various charges etc., 13 | P a g e
review of the functioning of automated scheduled tasks, batch processes, output reports design, reports distribution, etc. Review of all controls including boundary controls, input controls, communication controls, database controls, output controls and interfaces controls from security perspectives. Review effectiveness and efficiency of the Applications. Identify ineffectiveness of the intended controls in the software and analyze the cause for its ineffectiveness. Review adequacy and completeness of controls Review of Capacity Utilization. Identify gaps in the application security parameter setup in line with the bank‟s security policies and leading applicable practices. Auditing, both at client side and server side, including sufficiency and accuracy of event logging, SQL prompt command usage, Database level logging etc. Complete Review of Application Parameterization. Backup/Fallback/Restoration procedures and contingency planning. Review of segregation of roles and responsibilities with respect to application software to improve internal controls. Review of documentation for formal naming standards, design process for job roles, activity, groups and profiles, assignment, approval and periodic review of user profiles, assignment and use of super user access. Manageability with respect to ease of configuration, transaction roll backs, time taken for end of day, day begin operations and recovery procedures. Special remarks may also be made on following items- Hard coded user-id and password, Interfacing of software with ATM switch, EDI, Web Server and Other interfaces at Network level, Application level Recovery and restart procedures. Sufficiency and coverage of UAT test cases, review of UAT defects and tracking mechanism deployed by vendor and resolution including re-testing and acceptance Review of customizations done to the software and the SDLC policy followed for such customization. Proposed change management procedure during conversion, migration of data, version control etc. Review of Software benchmark results. Load and stress testing of IT infrastructure performed by the Vendors. Adequacy of Audit trails and meaningful logs. Adherence to Legal and Statutory Requirements. Configuration of System mail. Adequacy of hardening of all Servers and review of application of latest patches supplied by various vendors for known vulnerabilities as published by CERT-in, SANS, etc. Vendor need to -
Application-level risks at system and data-level include, system integrity risks relating to the incomplete, inaccurate, untimely or unauthorized processing of data; system-security risks relating to unauthorized access to systems or data; data risks relating to its completeness, integrity, confidentiality and accuracy; system-availability risks relating to the lack 14 | P a g e
of system operational capability; and system maintainability risks in terms of adequate change control procedures.
v.
-
As part of documenting the flow of transactions, information gathered should include both computerized and manual aspects of the system. Focus should be on data input (electronic or manual), processing, storage and output which are of significance to the audit objective.
-
Consideration should be given to audit of application interfaces with other systems or interface of other system with application. The auditor may perform procedures such as a walk-through test.
-
Review of Baseline configuration of application.
-
Review of Secure code practices.
-
Review controls in relation with those Application Integrated with other applications either within house or third party application through Web services and Host to Host etc.
-
The recently Reserve Bank of India has notified Cyber Security framework vide its circular no. DBS.CO/CSITE/BC.11/33.01.001/2015-16 dated 02/06/2016 Accordingly, Risk Management Department has framed Cyber Security Policy. Since Cyber Security is distinct but subset of Information Security with emphasis on cyber security aspects, these controls needs to tested as part of Information Security Audit. Review cyber security controls as per various advisory issued by RBI or Cert-in on time to time.
-
Auditors needs to carry out in Audit in reference to Banks IT Security Policy, Cyber Security Policy, RBI Guidelines, Government of India rules and regulations and industry best practices.
The scope of work also includes
Evaluating completeness of Information System Audit Policy, Cyber Security Policy and Information Security Policy, Outsourcing policy of the Bank.
Evaluating completeness of procedures/ guidelines documents.
Evaluating Bank‟s IT Governance structure including IT Strategy, IT Steering Committee, Information Security Committee (ISC) etc.
Providing minimum baseline security standard / practices in a checklist format to be implemented to achieve a reasonably secure IT environment for technologies deployed at Union Bank of India separately for different Information systems, covering OS, Database, network equipments, security equipments and other relevant aspects of IS Audit.
15 | P a g e
vi.
Evaluation of Software and Hardware procurement Policy and Maintenance Process. Review of RBI, IT examination report ( GAP assessment of Cyber Security Control)
The scope of work further includes guiding/helping the Bank staff in putting in place the correct practices and conducting of a compliance audit as explained in the Terms of execution of work.
vii. The scope of work also includes extending training to our IS Audit team with specific reference to understanding scripts to be run on servers, conducting VAPT, analyzing outputs, preparing reports and to share with them all the formats, check lists, scoring sheets, scripts etc. that will be used during the process of IS Audit. Bank‟s IS Audit team will be attached to the IS Audit team of the selected vendor, during the course of audit, for on the job training. The IS Auditor should explain, to the bank‟s team, all the processes, procedures involved in arriving at audit findings including interpretation of outputs generated by various audit tools. viii. The scope of work includes development of risk profile and drawing up of risk matrix taking into account inherent business risk and effectiveness of the control system for monitoring the risk. Preparation of Risk Matrix should be based upon Risk Analysis of all the Information Systems of the Bank, as per the guidelines issued by RBI and Govt. of India, including following steps : • • • • • • •
Step 1: System Characterization Step 2: Threat Identification Step 3: Vulnerability Identification Step 4: Control Analysis Step 5: Likelihood Determination Step 6: Impact Analysis Step 7: Risk Determination
The Risk Analysis / Risk Matrix will be based on Adequacy of internal controls, business criticality, regulatory requirements, amount or value of transactions processed, if a key customer information is held, customer facing systems, financial loss potential, number of transactions processed, availability requirements, experience of management and staff, turnover, technical competence, degree of delegation, technical and process complexity, stability of application, age of system, training of users, number of interfaces, availability of documentation, extent of dependence on the IT system, confidentiality requirements, major changes carried out, previous audit observations and senior management oversight.
16 | P a g e
5. Section V : Terms of Execution of work: 5.1
Bank expects the service provider to conduct IS audit of the systems as detailed in the Scope of work in three phases - covering the Core Banking related systems in the first phase, other important systems housed in Data Centre in the second phase and remaining systems /processes in the third phase. Parallel the service provider should carry out the jobs related to Risk Matrix. The service provider should submit a detailed plan clearly indicating the tentative dates and estimated time for IS Audit of each phase/system.
5.2
The selected vendor has to go through the audit reports of previous two years and has to check whether all the observations are complied. They have to comment on status of non-complied observations, while undertaking fresh audit under this RFP.
5.3
During the course of audit, if the service provider observes any major deficiencies, they should immediately bring such observations, deficiencies, areas of improvement and suggestions for improvement to the notice of the concerned persons. The service provider should also discuss with, guide/help the Bank staff in implementation of the critical and important suggestions.
5.4
At the end of each phase, the service provider should submit a detailed report containing all the observations, deficiencies, areas of improvement and suggestions for improvement, for each system separately.
5.5
Since it will take some time setting right the deficiencies, on the Bank intimating them to do so, the service provider should conduct a compliance audit, to confirm setting right of the deficiencies and implementation of the suggestions. The service provider should submit a detailed report after compliance audit.
5.6
The reports arising out of the scope of work, should be submitted as and when audit of one system is completed or at the latest on completion of each phase.
5.7
The assignment will be for conducting audit on time. Bank, at its option, will review and entrust the assignment either in full or in part subsequently.
17 | P a g e
6. Section VI: Terms and Conditions: 6.1.
Bid Price: i. RFP document can be purchased against payment of Rs.5,000.00 in the form of a demand draft / Pay Order issued by a scheduled commercial bank favoring Union Bank of India, payable at Mumbai. ii. Alternatively the RFP document can be downloaded from the Bank's website www.unionbankofindia.co.in or from www.tenders.gov.in. However, the service provider will have to pay, along with submission of their offer, a non-refundable fee of Rs. 5,000.00 in the form of a demand draft/ Pay Order issued by a scheduled commercial bank favoring Union Bank of India, payable at Mumbai. iii. In the event of non-payment of the fee of Rs. 5,000.00 towards the RFP form along with the submission of the offer, the offer will not be considered.
6.2.
Bid Security: i. Service provider will have to provide a Bid security of Rs. 1.00 lakh (Rupees One lakh only) by way of either demand draft / Pay Order issued in favour of Union Bank of India by a scheduled commercial bank in India, payable at Mumbai or a Bank Guarantee of equivalent amount, valid for a period of one year, issued by a Scheduled Commercial Bank in favour of Union Bank of India. ii. The Bank reserves its right to reject the proposal, in the event of nonsubmission of the bid-security money of Rs. 1.00 lakh. iii. No interest will be payable on the Bid Security amount. iv. The bid security amount will be forfeited if the vendor refuses to accept purchase order or having accepted the purchase order, fails to carry out his obligations mentioned therein. v. The Bid Security will be refunded to the unsuccessful bidders only after completion of the bid process. vi. The Bid security of the successful bidder would be refunded while releasing the payment due after the last mile stone. Hence the successful bidder has to ensure that validity of Bank Guarantee is extended, till completion of the project.
6.3.
Clarifications on the RFP i
Queries/clarifications would not be entertained over phone. 18 | P a g e
6.4.
ii
All the queries and clarifications must be sought in writing to the email id:
[email protected],
[email protected].
iii
Service providers are also requested to collate queries and submit them together seeking clarifications/responses from the Bank. It should be ensured that all the queries and clarifications are communicated in writing on or before 17 July 2017 by 4.00 PM. Queries received thereafter will not be entertained.
iv
Service providers should indicate only one e-mail id, to which the clarifications and other communications regarding the RFP can be sent.
Two Part Offer: i
One hard copy of the Technical Bid and One Copy of the Commercial Bid must be submitted at the same time, giving full particulars in separate sealed envelopes at the Bank‟s address given below on or before the schedule given above. The bidder should submit a soft copy of the technical bid on a CD/Pen drive. Offers (Technical & Commercial) must be submitted at the same time, giving full particulars in separate sealed envelopes addressed to The Dy. General Manager (CA&ID) Union Bank of India, IS Audit Cell, Central Audit & Inspection Department, The Earnest House, 7th floor, Nariman Point, Mumbai-400021
ii
All the envelopes must be super-scribed with the following information – Type of Offer
- Conducting IS Audit of IT Systems and Processes (Technical Bid)
Type of Offer
- Conducting IS Audit of IT Systems and Processes (Commercial Bid)
Due Date Name of Bidder Name of the Authorized Person Contact Number
: : : :
iii
All schedules, Formats and Annexure should be stamped and signed by an authorized official of the bidder‟s company.
iv
The offer should be hand delivered or by post at the given address on or before the bid submission date and time. Bids sent by fax, e-mail, courier will not be considered for evaluation. 19 | P a g e
v
6.5.
6.6.
6.7.
Tender offers will be opened in the presence of the bidder representatives who choose to attend the opening of tender on the above-specified date, time and place. All bidders are advised to be present at the time of bid opening. No separate intimation will be given in this regard.
No Erasures or Alterations: i
The original offer (Technical Offer and Commercial Offer) shall be prepared in indelible ink.
ii
Technical details must be completely filled up. All the hand-written details in the offer must be initialed by the persons or person who sign(s) the proposals.
iii
All the pages of the offer must be initialed by an authorized representative with a round stamp of the bidding firm.
Validity : i
The offer should remain valid for a period of 180 days from the date of submission of the proposal.
ii
At the option of the Bank, the vendor should extend the validity of offers for such required period (s), as the Bank may require during the evaluation process.
Technical Proposal: i.
The Technical Proposal should be complete in all respects and contain all the information asked for in this RFP document in an organised and structured manner. All the details sought must be submitted in the prescribed pro-forma only (as per the attached formats). Additional/supporting documents, write-ups, etc., if any should be furnished separately.
ii.
The Technical Proposal should be submitted in separate sealed envelope, super scribed as “Conducting IS Audit of IT Systems and Processes (Technical Bid)”
iii. The Technical Proposal should not contain any price information. iv. The UNPRICED commercial proposal would be a replica of the commercial proposal except the price. It must indicate all the details except the price. It should be sufficient to ensure that all products and services asked for are quoted along with the quantity of each item quoted in the commercial proposal. The unpriced commercial proposal should be part of technical proposal. v.
The Bank, at its discretion, may not evaluate a proposal in case of nonsubmission or partial submission of details sought. 20 | P a g e
vi. The Technical Proposal should comprise of following (as per the formats): o o o o o o o o o
o o o o 6.8.
Letter in the prescribed format confirming compliance to the Bank's terms and conditions (Format – I). Service provider Profile (Format – II) Details of Professional Personnel (Format – III) Details of reference sites –IS Audits(Format – IV(a)) Details of reference sites – Core Banking Application Audit(Format – IV(b)) Proposed Methodology and work plan (Format – V) UNPRICED Commercial Offer as per Format - VII, which should be replica of the Commercial proposal without price information Bid Price (by way of DD/PO drawn in favour of Union Bank of India issued by a Scheduled Commercial bank payable at Mumbai) Bid Security amount (by way of DD/PO drawn in favour of Union Bank of India issued by a Scheduled Commercial bank payable at Mumbai or Bank Guarantee of equivalent amount issued by a Scheduled Commercial bank and valid for one year) Supporting documents and undertakings as mentioned in RFP. Self-declaration and certification to confirm compliance of “should nots”. Integrity Pact signed by Authorized official of the Bidder. “Know Your Employee Annexure” Duly signed by competent Authority.
Commercial Proposal: i.
The Commercial Proposal should be submitted in separate sealed envelope, superscribed as “Conducting IS Audit of IT Systems and Processes (Commercial Bid)”.
ii.
The Commercial Proposal should provide all relevant price information in Indian Rupees only.
iii. It should not contradict the unpriced Commercial proposal in any manner. iv. The responses should be strictly as per the terms and conditions of this RFP. Service Providers are advised not to attach or specify any terms and conditions. The Bank reserves its right to reject the proposals received with any additional terms and conditions specified by the Service provider. v.
The Commercial Proposal should be as per Format VI.
vi. The prices mentioned in the commercial proposal should strictly be in conformity with the price composition specified in point no. 6.9. vii. The Commercial Bid should include all taxes, duties, fees, and other charges as may be levied under the applicable law as on the date of 21 | P a g e
submission of the proposal. However, the tax component of the prices should be shown separately. viii. The total cost must be quoted in WORDS AND FIGURES. In case of discrepancy between the words and figures, lower of the two would be considered as the price quoted and the same will be binding on the vendor. ix. Commercial Offers of only those vendors, who qualify in Technical Bid evaluation, will be opened. 6.9.
Price Composition: i
The price quoted should be inclusive of following: Professional Charges Travel and Halting expenses, including local conveyance Out of pocket expenses All applicable taxes, duties and levies.
ii
Work Contract tax, if any, applicable should be borne by the Service provider.
iii
The commercial offer shall be on a fixed price basis and in Indian Rupees. No price variation should be asked for relating to increases in customs duty, GST and/or any taxes, foreign currency price variation etc., However, if there is any reduction in government levies/taxes, during the validity of offer, the same shall be passed on to the Bank.
iv
The costs of preparing the offer and of negotiating the contract will not be borne by the Bank and, are not reimbursable. All costs and expenses incurred by Respondents in any way associated with the development, preparation, and submission of responses, including the attendance at meetings, discussions, demonstrations, reference site visits etc. and providing any additional information required by Union Bank Of India, will be borne entirely and exclusively by the Respondent.
6.10. Payment of Other Expenses: The selected vendor will have to visit various offices of the Bank, at various locations like Mumbai, Bengaluru, Ernakulam, Chennai, Lucknow, Delhi, Kolkata, Manipal and Jamshedpur during the course of IS Audit. The Bank WILL NOT pay any expenses towards travelling, lodging and boarding of the members of IS Audit team of the selected vendor. They will have to make their own travel and stay arrangements. 6.11. Evaluation Procedure: i
The evaluation of technical proposals will be done by a team of officials, which may include scrutiny of eligibility criteria to determine the eligibility of vendors; 22 | P a g e
scrutiny of the proposals to verify whether the same is in accordance with the RFP terms; and Reference site feedback about the service.
ii
In the process of scrutiny of the proposals, Bank may seek additional inputs and clarifications as may be needed and also may request the service providers to make a presentation. The request for such clarifications and the response will necessarily be in writing.
iii
Proposals found to be meeting the Bank‟s requirements based on the technical evaluation only will be considered for commercial evaluation. Cost comparison will be on the basis of TCO (total cost of ownership).
6.12. Right to Alter Quantities i
The Bank reserves the right to alter quantities, revise/modify all or any of the specifications, delete some items specified in this offer, when finalizing its requirements or declare the RFP void, without assigning any reason, before or after receiving the responses. That is, the Bank reserves its right to add or remove the Information systems in respect of which the IS Audit is to be conducted.
ii
The Bank also reserves the right to get the IS audit done for some of the systems only. In the event of change of quantities, the TCO would be worked out after normalizing the Commercial Offer to suit to the required systems. The amounts quoted for the line items in the commercial proposal would form base for such normalization process. The TCO worked out by the Bank after normalization, would be binding on the service provider.
6.13. No Commitment to Accept Lowest or Any Tender The Bank shall be under no obligation to accept the lowest or any other offer received in response to this tender notice and shall be entitled to reject any or all tenders without assigning any reason whatsoever. 6.14. Rotation of Audit Team If the selected service provider has already carried out IS Audit of our bank, the service provider should change the entire team and to depute a fresh team. 6.15. Price freezing and Contract Period i ii
iii
The final prices stated above, shall remain frozen for a minimum period up to three years from the date of the purchase order. Initial Contract would be valid of for one year and can be further extended for a period of maximum three years (1+1+1) subject to satisfactory performance of the IS Auditors. Performance of the auditors would be evaluated annually. Bank reserves its right to place repeat orders for the assignment in full or in parts at the same price and terms, as per its requirements, by addition or 23 | P a g e
deletion of few information systems during the price validity period i.e., three years which is subject to the Service Provider‟s performance meeting the Bank‟s benchmark for IS Audit. 6.16. Payment Terms The terms of payment will be as follows: i ii
No advance payment will be made along with the Purchase order. First 20% of the total contract value will be payable on delivery of the final report after completion of the IS audit of Information Systems identified for first phase; Another 20% of the total contract value will be payable on delivery of the final report after completion of the IS audit of Information Systems identified for second phase; Another 20% of the total contract value will be payable on delivery of the final report after completion of the IS audit of Information Systems identified for third phase; Another 20% of the total contract value will be payable on delivery of the final report after completion of the scope mentioned in Section IV of scope of work and on submission of the deliverables there of and Final 20% of the total contract value will be payable on completion of the compliance audit of all the Information Systems and on acceptance of reports thereof.
iii
iv
v
vi
6.17. Cancellation of the assignment The Bank reserves its right to cancel the assignment in the event of one or more of the following conditions: -
Delay in commencement of the IS Audit beyond two weeks after the assignment order or beyond the date given by the bank in the purchase order.
-
Delay in completion of all the three phases of the IS Audits beyond the time specified in the assignment letter.
6.18. Liquidated Damages 6.18.1. Notwithstanding the Bank's right to cancel the assignment, 0.5% of the order value per week or part thereof would be payable to the Bank for delay in the execution of this assignment order beyond specified schedule, subject to a maximum of 5% of the value of the said phase. 6.18.2. Bank reserves it's right to recover these amounts by any mode such as adjusting from any payments to be made by the Bank to the company. 6.18.3. The Bank however may review and consider waiving imposing of liquidated damages for delays beyond the control of the Service Provider. 24 | P a g e
6.19. RFP Ownership The RFP and all supporting documentation are the sole property of Union Bank and should NOT be redistributed without prior written consent of Union Bank. Violation of this would be a breach of trust and may, inter-alia cause the vendors to be irrevocably disqualified. The aforementioned material must be returned to Union Bank while submitting the proposal, or upon request. However, service providers can retain one copy for reference. 6.20. Proposal Ownership The proposal and all supporting documentation submitted by the service providers shall become the property of the Bank. The proposal and documentation may be retained, returned or destroyed as the Bank decides. 6.21. Confidentiality 6.21.1. This document contains information confidential and proprietary to the Bank. Additionally, the service providers will be exposed by virtue of the contracted activities to the internal business information of the Bank. Disclosures of receipt of this RFP or any part of the aforementioned information to parties not directly involved in providing the services requested could result in the disqualification of the service providers, premature termination of the contract, or legal action against the service providers for breach of trust. 6.21.2. Selected service provider will have to sign a legal non-disclosure agreement with the Bank before starting the project. 6.22. Disclaimer Subject to any law to the contrary, and to the maximum extent permitted by law, Union Bank Of India and its officers, employees, contractors, agents, and advisers disclaim all liability from any loss or damage (whether foreseeable or not) suffered by any person acting on or refraining from acting because of any information including forecasts, statements, estimates, or projections contained in this RFP document or conduct ancillary to it whether or not the loss or damage arises in connection with any negligence, omission, default, lack of care or misrepresentation on the part of Union Bank Of India or any of its officers, employees, contractors, agents, or advisers.
25 | P a g e
7. Section VII: RFP Response Formats 1.
Format-I: Letter to the Bank on the Service provider‟s letterhead
2.
Format – II: Service Provider Profile
3.
Format – III: CV of Professional Personnel
4.
Format – IV(a): References of IS Audits done for Banks.
5.
Format –IV (b): References of Core Banking Application Audits done for Banks.
6.
Format – V: Proposed Methodology & Work Plan
7.
Format – VI: Commercial Offer
8.
Format – VII: Unpriced Commercial Offer
9.
FORMAT –VIII: FORMAT FOR BANK GUARANTEE
10.
FORMAT–IX: FORMAT OF INTEGRITY PACT
11.
FORMAT-X: Know Your Employee Annexure
12.
Annexure-I
13.
Annexure-II
26 | P a g e
1.
Format – I: Letter to the Bank on the Service provider’s letterhead
To Union Bank of India, Central Audit & Inspection Department, The Earnest House, 7th Floor, Nariman Point, Mumbai - 400 021 Dear Sir, Sub:
Response to RFP in connection with outsourcing IS Audit
With reference to the above RFP, having examined and understood the instructions, terms and conditions, we hereby enclose our offer for conducting IS Audit of the systems, as detailed in your above referred inquiry. We confirm that the offer is in conformity with the terms and conditions as mentioned in your above referred RFP. We further confirm that the information furnished in the proposal, annexure, formats, is correct. Bank may make its own inquiries for verification and we understand that the Bank has the right to disqualify and reject the proposal, if any of the information furnished in the proposal is not correct. We also confirm that the prices offered shall remain fixed for a period of one hundred and eighty (180) days from the date of submission of the offer. We also understand that the Bank is not bound to accept the offer either in part or in full. If the Bank rejects the offer in full or in part, the Bank may do so without assigning any reasons thereof. We further understand that the finalized prices will be frozen for a period of three years from the date of entrustment of assignment and that the Bank, at its discretion may entrust the assignment again in full or parts at the same price and terms as per its requirements with addition / deletion of few information systems to be audited. Yours faithfully,
Authorized Signatories (Name, Designation and Seal of the Company) Date:
27 | P a g e
2. S. No. 1 2 3 4 5 6 7 8 9 10 11 12
13
14
Particulars
Format – II: Service Provider Profile Response
Name of the Service Provider Address for Communication Contact Person 1 Phone / Mobile Number Email id Contact Person 2 Phone / Mobile Number Email id Experience in the business in India (No. of Completed Years (Minimum Three Years)) Total Number of staff in India No. of professionally qualified persons CISA __ Name of the professionally qualified personnel CISA indicating the respective qualifications (service provider may add more lines as per requirements)
CISSP ___ CISSP
CISM __ CISM
Business details in India for the last three financial years (copies of the published audited financial statements should be annexed) Year Turnover Service Operating Net Income profit Profit after Tax 2014-15 2015-16 2016-17 Details of the organizations for which IS Audit was conducted in the past three years(2014-2017) Name of the Organisation Place Month & Year
28 | P a g e
3.
Format – III: CV of Professional Personnel (To be furnished on a separate sheet for each employee)
Name of the staff Date of Birth Professional Qualifications Service in the firm from Previous employment record
Organization
From
to
Details of Key assignments handled in the past three years Organization Month & Year Details of assignment done
Whether Copy of the Professional Yes / No (Certification Details) Certification like CISA/CISM/CISSP is enclosed or not
29 | P a g e
4.
Format – IV(a): References of IS Audits done for Banks.
(The details of each assignment should be furnished on a separate page. The details should relate to the assignments done during the past three (2014-2017) years. We expect two references in the minimum) 1 2 3 4 5 6 7 8 9 10
Name of the Bank Address Name of the Contact Person Designation Direct Phone number Mobile Phone E-mail id Month & Year in which IS Audit was conducted Names of professional personnel who carried out that assignment Brief particulars of the Systems for which IS audit was done. (Scope of Work)
30 | P a g e
5.
Format –IV (b): References of Core Banking Application Audits done for Banks.
(The details of each assignment should be furnished on a separate page. The details should relate to the assignments done during the past three years (2014-2017). We expect two references in the minimum) 1 2 3 4 5 6 7 8 9 10
Name of the Bank Address Name of the Contact Person Designation Direct Phone number Mobile Phone E-mail id Month & Year in which IS Audit was conducted Names of professional personnel who carried out that assignment Scope of Work
31 | P a g e
6.
Format – V: Proposed Methodology & Work Plan
(Please mention the details of tasks you propose to do along with the estimates of time lines for each task, the key personnel you intend to engage for each of the tasks in the assignment and the deliverables for each task. In other words, this sheet should provide the entire project plan)
32 | P a g e
7.
Format – VI: Commercial Offer
(To be submitted in Commercial Bid)
To Union Bank of India, Central Audit & Inspection Department, The Earnest House, 7th floor, Nariman Point, Mumbai - 400 021 Dear Sir, Sub:
Response to RFP in connection with outsourcing IS Audit
With reference to the above RFP, having examined and understood the instructions, terms and conditions, we hereby enclose our Commercial offer for conducting IS Audit of the systems, as detailed in your above referred inquiry. Sr. No. 1
Details
Professional Fees (Rs.)
Taxes (Rs.)
Total Cost (Rs.)
IS audit of Bank‟s systems as per Scope defined in RFP 2 Any Other Cost (please specify) Total Cost of Ownership (TCO) TCO in words: We confirm that the offer is in conformity with the terms and conditions as mentioned in your above referred RFP. We further confirm that the information furnished in the proposal, annexure, formats, is correct. Bank may make its own inquiries for verification and we understand that the Bank has the right to disqualify and reject the proposal, if any of the information furnished in the proposal is not correct. We also confirm that the prices offered shall remain fixed for a period of One Hundred Eighty (180) days from the date of submission of the offer. We also understand that the Bank is not bound to accept the offer either in part or in full. If the Bank rejects the offer in full or in part the Bank may do so without assigning any reasons there for. Yours faithfully,
Authorized Signatories (Name, Designation and Seal of the Company) Date:
33 | P a g e
8.
Format – VII: Unpriced Commercial Offer
(To be submitted in Technical Bid)
To Union Bank of India, Central Audit & Inspection Department, The Earnest House, 7th floor, Nariman Point, Mumbai - 400 021 Dear Sir, Sub:
Response to RFP in connection with outsourcing IS Audit
With reference to the above RFP, having examined and understood the instructions, terms and conditions, we hereby enclose our Unpriced Commercial offer for conducting IS Audit of the systems, as detailed in your above referred inquiry. We have not furnished any price information below. Sr. No . 1
Details
IS audit of Bank‟s systems as per Scope defined in RFP 2 Any Other Cost (please specify) Total Cost of Ownership (TCO) TCO in words:
Professional Fees
Taxes
Total Cost
Yes / No
Yes / No
Yes / No
Yes / No Yes / No Yes / No
Yes / No Yes / No
Yes / No Yes / No
We confirm that the offer is in conformity with the terms and conditions as mentioned in your above referred RFP. We further confirm that the information furnished in the proposal, annexures, formats, is correct. Bank may make its own inquiries for verification and we understand that the Bank has the right to disqualify and reject the proposal, if any of the information furnished in the proposal is not correct. We also confirm that the prices offered shall remain fixed for a period of One Hundred Eighty (180) days from the date of submission of the offer. We also understand that the Bank is not bound to accept the offer either in part or in full. If the Bank rejects the offer in full or in part the Bank may do so without assigning any reasons there for. Yours faithfully, Authorized Signatories (Name, Designation and Seal of the Company) Date:
34 | P a g e
9.
FORMAT –VIII: FORMAT FOR BANK GUARANTEE
To Union Bank of India Central Audit & Inspection Department, The Earnest House,7th floor, Nariman Point Mumbai - 400 021. Dear Sirs, In response to your invitation to respond to your RFP for IS Audit, M/s __________________ having their registered office at _____________ (hereinafter called the „Service Provider‟) wish to respond to the said Request for Proposal (RFP) and submit the proposal for conducting Information System Audit of the bank as per terms and conditions listed in the RFP document. Whereas the „Service Provider‟ has submitted the proposal in response to RFP, we, the ____________ Bank having our head office ________________ hereby irrevocably guarantee an amount of Rs. (Rupees only) as earnest money deposit as required to be submitted by the „Service Provider‟ as a condition for participation in the said process of RFP. The earnest money deposit for which this guarantee is given is liable to be enforced/ invoked: 1) If the Service Provider withdraws his proposal during the period of the proposal validity; or 2) If the Service Provider, having been notified of the acceptance of its proposal by the Bank during the period of the validity of the proposal fails or refuses to enter into the contract in accordance with the Terms and Conditions of the RFP or the terms and conditions mutually agreed subsequently. We undertake to pay immediately on demand to Union Bank of India, the said amount of Rupees only without any reservation, protest, demur, or recourse. The said guarantee is liable to be invoked/ enforced on the happening of the contingencies as mentioned above and also as mentioned in the RFP document and we shall pay the amount on any demand made by Union Bank of India which shall be conclusive and binding on us irrespective of any dispute or difference raised by the Service Provider. Notwithstanding anything contained herein our liability under this Bank guarantee shall not exceed Rs. __________ (Rupees only). This Bank guarantee will be valid upto _________ days; and We are liable to pay the guarantee amount or any part thereof under this Bank guarantee only upon service of a written claim or demand by you on or before ________________. In witness whereof the Bank, through the authorized officer has sets its hand and stamp on this _______________ day of __________________ at _________________. 35 | P a g e
10.
FORMAT–IX: FORMAT OF INTEGRITY PACT
This pre-bid contract agreement (hereinafter called the Integrity Pact) is made on ____________day of the month of _____________ 2017, Between on one hand, Union Bank of India, a body Corporate constituted under Banking Companies (Acquisition and Transfer of Undertaking) Act, 1970 having its Head Office at 239 ,Vidhan Bhavan Marg , Mumbai -400021(hereinafter referred to as “The Bank or the BUYER” which expression shall include its successors and assigns) AND M/s __________________________ a company registered under Companies Act 1956 (or) 2013 having its registered Office at ___________________________ ________________________ India, (hereinafter referred to as the BIDDER which expression shall include its successors and assigns). Whereas the BUYER proposes to procure ________________________ and the BIDDER is willing to offer/has offered the services/equipment, and Both parties undertake to avoid all forms of corruption by following a system that is fair, transparent, and free from any influence of prejudiced dealings prior to, during, and subsequent to the currency of the contract to be entered into with a view to: Enabling the BUYER to obtain the said services/equipment in a competitive price in conformity with the defined specifications by avoiding the high cost and distortionary impact of corruption on public procurement and Enabling BIDDERS to abstain from bribing or indulging in any corrupt practice in order to secure the contract by providing assurance to them that their competitors will also abstain from bribing and other corrupt practices and the BUYER will commit to prevent corruption, in any form, by its officials, by following transparent procedures. The parties hereto hereby agree to enter into this Integrity Pact and agree as follows: 1.
Commitments of the BUYER
1.1. The BUYER undertakes that no official of the BUYER, connected directly, or indirectly to the contract, will demand, take a promise for or accept, directly, or through intermediaries, any bribe, consideration, gift, reward, favour or any material or immaterial benefit or advantage form the BIDDER, either for themselves, or for any person, organization or third party related to the contract in exchange for an advantage in the bidding process, bid evaluation, contracting or implementation process related to the contract. 36 | P a g e
1.2. The BUYER will, during the pre-contract stage, treat all BIDDERS alike, and will provide to all BIDDERS the same information and will not provide any such information to any particular BIDDER which could afford a particular advantage to that particular BIDDER in comparison to other BIDDERS. 1.3. All the officials of the BUYER will report to the appropriate Government office any attempt or completed breaches of the above commitments as well as any substantial suspicion of such a breach. 1.4. In case any such preceding misconduct on the part of such officials is reported by the BIDDER to the BUYER with full and verifiable facts and the same is prima facie found to be correct by the BUYER, necessary disciplinary proceedings, or any other action as deemed fit, may be initiated by the BUYER and such a person shall be debarred from further dealings related to the contract process. In such a case while an enquiry is being conducted by the BUYER, the proceedings under the contract would not be stalled. 2.
Commitments of BIDDERS
The BIDDER commits itself to take all measures necessary to prevent corrupt practices, unfair means and illegal activities during any stage of its bid or during any pre-contract or post-contract stage in order to secure the contract or in furtherance to secure it and in particular commit itself to the following:2.1
The BIDDER will not offer directly, or through intermediaries, any bribe, gift, consideration, reward, favour, any material or immaterial benefit or other advantage, commission, fees, brokerage or inducement to any official of the BUYER connected directly or indirectly with the bidding process, or to any person, organization or third party related to the contract in exchange for any advantage in the bidding, evaluation, contracting and implementation of the contract.
2.2
The BIDDER further undertakes that it has not given, offered or promised to give directly or indirectly, any bribe, gift, consideration, reward, favour, any material or immaterial benefit or other advantage, commission, fees, brokerage or inducement to any official of the BUYER or otherwise in procuring the contract or forbearing to do or having done any act in relation to the obtaining or execution of the contract or any other contract with the Bank for showing or forbearing to show favour or disfavour to any person in relation to the contract or any other contract with the Bank.
2.3
BIDDERs shall disclose the name and address of agents and representatives and Indian BIDDERS shall disclose their foreign principals or associates.
2.4
BIDDERs shall disclose the payments to be made by them to agents/brokers, or any other intermediary, in connection with this bid/contract.
37 | P a g e
2.5
The BIDDER further confirms and declares to the BUYER that the BIDDER is the original manufacturer/integrator/ authorized government sponsored export entity of the defence stores and has not engaged any individual or firm or company, whether Indian or foreign, to intercede of facilitate or in any way to recommend to the BUYER or any of its functionaries, whether officially or unofficially to the award of the contract to the BIDDER, nor has any amount been paid to any such individual, firm or company in respect of any such intercession, facilitation or recommendation.
2.6
The BIDDER either while presenting the bid or during the pre-contract negotiations or before signing the contract, shall disclose any payments he has made, is committed to or intends to make to officials of the BUYER or their family members, agents, brokers or any intermediaries in connection with the contract and the details of services agreed upon for such payments.
2.7
The BIDDER will not collude with other parties interested in the contract to impair the transparency, fairness and progress of the bidding process, bid evaluation contracting and implementation of the contract.
2.8
The BIDDER will not accept any advantage in exchange for any corrupt practice, unfair means and illegal activities.
2.9
The BIDDER shall not use improperly, for purposes of competition or personal gain or pass on to others, any information provided by the BUYER as part of the business relationship, regarding plans, technical proposals and business details including information contained in any electronic data carrier. The BIDDER also undertakes to exercise due and adequate care lest any such information is divulged.
2.10 The BIDDER commits to refrain from giving any complaint directly or through any other manner without supporting it with full and verifiable facts. 2.11 The BIDDER shall not instigate or cause to instigate any third person to instigate any of the actions mentioned above. 2.12 If the BIDDER or any employee of the BIDDER or any person acting on behalf of the BIDDER, either directly or indirectly, is a relative of any of the officers of the BUYER, or alternatively, if any relative of any officer of the BUYER has financial interest/stake in the BIDDERS firm, the same shall be disclosed by the BIDDER at the time of filing of tender. The term „relative‟ for this purpose would be as defined in section 6 of the Companies Act, 1956. 2.13 The BIDDER shall not lend to or borrow any money from or enter into any monetary dealings or transactions directly or indirectly with any employee of the BUYER 3.
PREVIOUS TRANSGRESSION
3.1. The BIDDER declares that no previous transgression occurred in the last three years immediately before signing of this Integrity Pact with any other company in any 38 | P a g e
country in respect of any corrupt practices envisaged hereunder or with any Public Sector Enterprise in India or any Government department in India that could justify BIDDER‟s exclusion from the tender process. 3.2. The BIDDER agrees that if it makes incorrect statement on this subject, BIDDER shall be disqualified from the tender process or the contract, if already awarded, can be terminated for such reason. 4.
EARNEST MONEY (SECURITY MONEY)
4.1. While submitting commercial bid, the BIDDER shall deposit an amount (to be specified in the RFP) as Earnest money/Security deposit, with BUYER through any of the following instruments: 4.1.1 Bank draft or Pay Order in favour of Union Bank of India 4.1.2 A confirmed guarantee by any Indian Nationalised bank, promising payment of the guaranteed sum on demand within three working days without any demur whatsoever and without seeking any reasons whatsoever. The demand for payment by the BUYER shall be treated as conclusive proof of payment. 4.1.3 Any other mode through any other instrument (to be specified in the RFP) 4.2
The Earnest money/Security deposit shall be valid unto a period of five years or the complete conclusion of the contractual obligations to the complete satisfaction of both the BIDDER and the BUYER, including warranty period, whichever is later.
4.3
In case of the successful BIDDER a clause would also be incorporated in the Article pertaining to Performance Bond in the Purchase Contract that the provisions for Sanctions for Violation shall lie applicable for forfeiture of Performance Bond in case of a decision by the BUYER to forfeit the same without assigning any reason for imposing sanction for violation of this Pact.
4.4
No interest shall be payable by the BUYER to the BIDDER on Earnest money/Security deposit for the period of its currency.
5.
SANCTIONS FOR VIOLATIONS
5.1
Any breach of the aforesaid provisions by the BIDDER or any one employed by it or acting on its behalf (whether with or without the knowledge of the BIDDER) shall entitle the BUYER to take all or any one of the following actions, wherever required:
5.1.1 To immediately call of the pre-contract negotiations without assigning any reason or giving any compensation to the BIDDER. However, the proceedings with the other BIDDER(s) would continue.
39 | P a g e
5.1.2 The Earnest Money Deposit, (in pre-contract stage) and/or Security Deposit Performance Bond (after the contract is signed) shall stand forfeited, either fully or partially, as decided by the BUYER and the BUYER shall not be required to assign any reason therefore. 5.1.3 To immediately cancel the contract, if already signed, without giving any compensation to the BIDDER. 5.1.4 To recover all sums already paid by the BUYER and in case of an Indian BIDDER with interest thereon at 2% higher than the prevailing Prime Lending rate of State Bank of India, while in case of a BIDDER from a country other than India, with interest thereon at 2% higher than the LIBOR. 5.1.5 If any outstanding payment is due to the BIDDER from the BUYER in connection with any other contract of any other stores, such outstanding payment could also be utilized to recover the aforesaid sum and interest. 5.1.6 To encash the advance bank guarantee and performance bond warranty bond, if furnished by the BIDDER, in order to recover the payments, already made by the BUYER, along with interest. 5.1.7 To cancel all or any other contracts with the BIDDER. The BIDDER shall be liable to pay compensation for any loss or damage to the BUYER resulting from such cancellation/ rescessation and the buyer shall be entitled to deduct the amount so payable from the money(s) due to the BIDDER. 5.1.8 To debar the BIDDER form participating in future bidding processes of the Bank for a minimum period of five years, which may be further extended at the discretion of the BUYER. 5.1.9 To recover all sums paid in violation of this Pact by BIDDER(s) to any middle men or agent or broker with a view to securing the contract. 5.1.10 In cases where irrevocable Letters of Credit have been received with respect o 5.1.11 Forfeiture of Performance Bond in case of a decision by the BUYER to forfeit the same without assigning any reason for imposing sanction for violation of this Pact. 5.2
The BUYER will be entitled to take all or any of the actions mentioned at Para 5.1 (i) to (x) of this Pact also on the commission by the BIDDER or anyone employed by it or acting on its behalf (whether with or without the knowledge of the BIDDER), of an offense as defined in Chapter IX of the Indian Penal code 1860 or Prevention of Corruption Act 1988 or any other statute enacted for prevention of corruption.
5.3
The decision of the BUYER to the effect that a breach of the provisions of this act has been committed by the BIDDER shall be final and conclusive on the BIDDER. 40 | P a g e
However the BIDDER can approach the Independent Monitor(s) appointed for the purpose of this Act. 6. 6.1
7.
FAIL CLAUSE The BIDDER undertakes that it has not supplied/is not supplying similar product/system or sub-systems at a price lower than that offered in the present bid in respect of any other Ministry/Department of the Government of India or PSU and if it is found at any stage that similar products/systems or sub-systems was supplied by the BIDDER to any other Ministry/Department of the Government of India or PSU at a lower price than that very price, with due allowance for elapsed time, will be applicable to the present case and the difference in the cost would be refunded to the BUYER by the BIDDER if the contract has already been concluded. INDEPENDENT MONITORS
7.1
The BUYER has appointed Independent Monitors (hereinafter referred to as Monitors) for this Pact in consultation with the Central Vigilance Commission (Names and addresses of the Monitors to be given)
7.2
The task of the Monitors shall be to review independently and objectively whether and to what extent the parties comply with the obligations under this Pact. The Monitors shall not be subject to instructions by the representatives of the parties and perform their functions neutrally and independently.
7.3
7.4
Both the parties accept that the Monitors have the right to access all the documents relating to the project procurement including minutes of meetings.
7.5
As soon as the Monitor notices, or has reason to believe, a violation of this Pact, he will so inform the Authority designated by the BUYER.
7.6
The BIDDER(s) accepts that the Monitor has the right to access without restriction all project documentation of the BUYER including that provided by the BIDDER. The BIDDER will also grant the Monitor, upon his request and demonstration of a valid interest, unrestricted and unconditional access to his project documentation. The same id is applicable to sub-contractors. The Monitor shall be under contractual obligation to treat the information and documents of the BIDDER/Sub-contractor(s) with confidentiality.
7.7
The BUYER will provide to the Monitor sufficient information about all meetings among the parties related to the Project provided such meetings could have an impact on the contractual relations between the parties. The parties will offer to the Monitor the option to participate in such meetings.
7.8
The Monitor will submit a report to the designated Authority of the BUYER/Secretary in the department within 8 to 10 weeks from the date of 41 | P a g e
reference or intimation to him by the BUYER or BIDDER and, should the occasion arise, submit proposals for correcting problematic situations. 8. FACILITATION OF INVESTIGATION 8.1
In case of any allegation of violation of any provision of this Pact, or payment of commission, the BUYER or its agencies shall be entitled to examine all the documents including the books of accounts of the BIDDER and the BIDDER shall provide necessary information and documents in English and shall all possible help for the purpose of such examination.
9. LAW AND PLACE OF JURISDICTION 9.1
This Pact is subject to Indian law. The place of performance and jurisdiction is the seat of the BUYER.
10. OTHER 10.1 Legal Actions- The actions stipulated in this Integrity Pact are without any prejudice to any other legal action that may follow in accordance with the provisions of the extant law in force relating to any civil or criminal proceedings. 11.
VALIDITY
11.1 The validity of this Integrity Pact shall be from the date of its signing and extend up to five years or the complete execution of the contract to the satisfaction of both the BUYER and the BIDDER/Seller, including warranty period, whichever is later. In case BIDDER is unsuccessful, this Integrity Pact shall expire six months from the date of the signing of the contract. 11.2 Should one or several provisions of this Pact turn out to be invalid, the reminder of this Pact shall remain valid. In this case the parties will strive to come to an agreement to their original intentions. This Integrity Pact is signed on ______________________________________ By: ON BEHALF OF THE BUYER
ON BEHALF OF THE BIDDER
Name of the Official Designation Union Bank of India
Name of the Official Designation M/s
Signature of Witness 1 Name: Address:
Signature of Witness 2 Name: Address:
42 | P a g e
11.
FORMAT-X: Know Your Employee Annexure (To be submitted by all bidders on their letter head)
To: The Dy. General Manager Union Bank of India Central Audit &Inspection Department, Earnest House, 7th Floor NCPA Marg, Nariman Point Mumbai- 400021 UNDERTAKING 1.
We ______________________(name of the company) hereby confirm that all the resource (both on-site and off-site) deployed/to be deployed on Bank‟s project for ________________ (Name of the RFP) have undergone KYE (Know Your Employee) process and requisite checks have been performed prior to employment of said employees as per our policy.
2.
We further undertake and agree to save defend and keep harmless and indemnified the Bank against all loss, cost, damages , claim penalties expenses, legal liability because of non compliance of KYE and of misconduct of the employee deployed by us to the Bank.
Signature of Competent Authority with company seal ________________________________ Name of Competent Authority
__________________________________
Company / Organization
__________________________________
Designation within Company / Organization
__________________________________
Date
________________
Name of Authorized Representative
__________________________________
Designation of Authorized Representative
__________________________________
Signature of Authorized Representative
__________________________________
Verified above signature Signature of Competent Authority
__________________________________
43 | P a g e
Annexure-I
12. LIST OF APPLICATIONS IN THE BANK PHASE I No SYSTEM CATEGORY
DESCRIPTION
1
Network System and Processes
Network System/Network Security and Processes
2
CBS System (India)
Finacle Domestic Govt Business Module (GBM) Connect 24 NPA Module
3
ATM
ATM Switch (Base 24) Prognosis EMS Feeds Multi-Host Interface VAPT of 100 ATMs with credentials
4
Integration with other external systems Internet Banking Application (Domestic )-Retail & Corporate Internet Banking Application (UK Subsidiary)
Internet Banking
Two Factor Authentication Application (2FA)
5 6
Antivirus Systems, management etc. SMS Banking
Utility Bill Payment System and others Patch Anti Virus System, Patch management, Active Directory, NAC, etc. SMS Gateway SMS Pull
7
Mobile Banking
U Mobile Digi Purse UPI UCTRL / Usecure IMPS M PASSBOOK & Union Selfie , Aadhar Pay Tabulous Banking App for Tablets
8
IT Security Systems including Web gateway, email gateway, New IT Security Systems and Processes Generation Firewalls and Processes.
9
Outsourced activities for Tivoli Monitoring & Backup Tool, Nemisoft Monitoring of Data Centre, Network Monitoring Tool, Processes for Network , Security etc monitoring of outsourced resources etc.
10
Biometric System
PHASE II 11 Lending Automation System (LAS)
Biometric Authentication System (BAS) LAS,
Union
Retail
Loan
System,
other
44 | P a g e
components 12
Cash Management Services (CMS)
15
Cash Management Services (CMS) Enterprise Application Integration (EAI) Matched fund Transfer Price (MFTP) Public Fund Management Systems
16
Business Intelligence (BI)
Business Objects
13 14
Enterprise Application Integration MFTP Public Fund Management Systems(PFMS) Informatica Visual Analytics
17
Data Warehousing
SIEBEL OCRM SAS ACRM
18
Teradata DWH FI Gateway & E-KYC Application,E-KYC,AEPS, Financial Inclusion (FI) Gateway DEMOAUTH, MicroATM Applications of various Server vendors.
PHASE III 19 Self Service Devices
ATM Audit on Sample Basis All Channel Reconciliation Systems (ATM, Internet Banking, Mobile, Adhaar, POS, etc.) Cheque Deposit Machine Application Semi Automatic Passbook Printer (SAPBP) Application Self Service Passbook Printer (SSPBP) Application Single Note acceptor Machine (SNA) Application
20
Integrated Treasury System
Finacle Treasury Integrated Treasury System Dealing System, RETD Back Office system and Processes
21
Payments Systems Gateway (NEFT SFMS (NEFT & RTGS) & RTGS) QPH
22
SWIFT System
SWIFT System and Processes for domestic as well as overseas branches
23
Cheque Truncation System (CTS)
CTS Delhi, Mumbai, Chennai
24
Debit Card System
Debit Card Management System
25
Credit Card System
Credit Card System including NPA Management
26
Point Of Sale (POS) System
POS Devices (Sample Basis), POS Applications, Centralised Point of Sales (POS) System
27
Payments Gateway Systems
Electra Card Services /FSS IRCTC Prepaid System 45 | P a g e
Gift Card System Direct Debit through ATM Card and PIN Other Payment Solution hosted at FSS 28
Call Centre
Call Centre and OCRM Application Software
29
CBS System – Sydney
Finacle Sydney Finacle Treasury Sydney Finacle Nostro Reconciliation (FNR) Sydney
30
CBS System – Hong Kong
Finacle HK Finacle Treasury Hongkong Finacle Nostro Reconciliation (FNR) Hongkong
31
CBS System – Dubai
Finacle Dubai Finacle Treasury Dubai Finacle Nostro Reconciliation (FNR) Dubai
32
CBS System – Belgium
Finacle Antwerp Finacle Treasury Antwerp Finacle Nostro Reconciliation
33
CBS System – UK
Finacle UK Finacle Treasury UK Finacle Nostro Reconciliation
34
IBM Lotus Notes Solution (EMAIL IBM Domino Mail & Lotus Traveler, Outlook etc. System)
36
Bank‟s Internet Web Site and other public facing websites i.e. eremit, unionretailloan.com etc. Customer Care Unit
37
DR Site / Near Site
38
GSTN Application
Union Bank of India Corporate Website, UBI UK Ltd. Website and other overseas branches Websites. Customer Care System DR Site at Bengaluru and Ernakulam, Near Site at Mumbai GST Network Application
39
Cheque Book Printing System
In-house as well as outsourced Application
35
Sr No 1 2 3 4 5 6
Additional Details of Hardware / Software /Applications outsourced: System/Application Service Provider ATM/BNA/SNA/Cash Recyclers Reconciliation of ATM /POS Transactions E2E ATM Reconciliation for DFS model ATMs Debit Card Management Services Pre Paid Card Management Services Merchant Acquiring through Point of Sales terminals
NCR/Diebold/Wincor/AGS/Lipi/Vortex/Hitachi/OKI M/s In-Solution Global Pvt Ltd M/s In-Solution Global Pvt Ltd FIS Payment Solutions and services India Pvt. Ltd FIS Payment Solutions and services India Pvt. Ltd M/s ATOM Technologies Ltd. Andheri Mumbai 46 | P a g e
7
Credit Card Management Services Access Control Server Merchant Management & Payment Gateway Services Call Centre Services ATM Managed Service E2E ATM Services on transaction cost basis (Opex model)
8
9 10 11
M/s ATOS Worldline Limited, Malad (w) Mumbai Financial Software & System (P) Ltd –(FSS)
M/s Aegis Limited, Kurla (W) Mumbai AGS Transact Technologies Ltd. 1. FIS 2. FSS 3. EPS 4. NCR 5. Hitachi 6. TCPSL 7. Mphasis 8. AGS Data Entry of cheques at CMS The United Computer System UMobile Support services Financial software & System (P) Ltd. (FSS) Digipurse Support Services Financial software & System (P) Ltd. (FSS) IRCTC Prepaid Card Financial software & System (P) Ltd. (FSS) SNA Managed Services Forbes Technosys Ltd Cheque Deposit Machine Forbes Technosys Managed services APLAB Ltd
12 13 14 15 16 17
18
Pass book services
19
Printers
Managed Forbes Technosys APLAB Ltd
20
Reward Point Services on credit Loyalty Rewards Management Pvt Ltd Card & Debit Card UPI FSS
21
BBPS
Bill Desk
22
Cheque Book Printing System
M/s Shesaasai, M/s Utility Forms,M/s Manipal Technologies Ltd.
Application Audit The scope further includes Application Audit of the Applications used by the Bank. Some critical applications are named here below:
Core Banking Application – “FINACLE” of Infosys Ltd inclusive of modules including NPA Management system (as IRCA norms), Government Business Module (GBM), etc.
Core Banking Application – “FINACLE” of Infosys Ltd for Overseas branches and UK subsidiary of Bank.
Application Audit for Internet Banking for Domestic and overseas branches.
Treasury Application from M/s Infosys (Replaced existing KASTLE system), being used at our Treasury branch.
Application purchased from CMC (TCS) for our Demat operations. 47 | P a g e
LAS (Lending Automation Solution)
MIS (Management Information System)
PeopleSoft HRM Solution
MFTP (Matched Fund Transfer Pricing)
ATM Switch
Document Management System (Account Opening Process)
Enterprise Application Integrator (EAI)
Oracle GL
Swift
Centralised FI gateway Application including E-KYC, DemoAuth, APBS, etc.
E-Remit
GSTN System
POS/Mobile Application Security Audit
Mobile Application Security Audit of DIGI Purse App, M passbook App, UControl App , UPI App, Aadhar Pay App and Umobile App, Tabulous Banking App for Tablet etc.
5 FI Applications ported on MicroATMs as per UIDAI Standard
POS Applications for Credit Card/Debit Card
Please note that above list of applications for application audit may be replaced with other set of applications every year.
48 | P a g e
13.
ANNEXURE II
Assets not covered for IS Audit but to be covered for VAPT:
Intranet (UBINET) Document Management System(DMS) Web-based systems such as , E-remit etc and other in-house developed small software Unified Communication System Digital Media Signage Asset & Liability Management(ALM) Integrated Risk Management System(IRM) AMLOCK for Anti-Money Laundering Central Accounts system- Oracle GL Channel Financing Canteen and Access Cards Demat Management Information Systems Union Parivar-HRM Package Aadhar Status Online Account Opening OMC Monitoring Systems Board of Directors Portal Risk Based Internal Audit FI Portal (Bank Mitra) Tax Audit Concurrent Audit Allocation Kendriya Vidyalaya Fees Collection Ntrp Pos- Bharat Kosh Saral Tds Package Core Rajbhasha Software E-Learning Union Rewardz Document Tracking Systems
*****END OF DOCUMENT******
49 | P a g e
