No: HUDCO/ITW/SA/235/2017/1

Dated:25th January, 2017

Request for Proposal for Security Audit for IT Systems and suggesting DR policy by CERT-In empaneledagency

HOUSING & URBAN DEVELOPMENT CORPORATION LIMITED Core 7-A, HUDCO Bhawan,India Habitat Centre,Lodhi Road, New Delhi 110003 Website: www.hudco.org CIN: U74899 DL1970GOI005276, Emails: [email protected] and [email protected]

The tender document can be downloaded from the websites - www.hudco.org or www.eprocure.gov.in

Introduction HUDCO is an all India premier techno-financial PSU in the field of Human Settlement under administrative control of Ministry of Housing and Urban Poverty alleviation, Govt. of India.HUDCO was incorporated on April 25, 1970 under the Companies Act 1956. HUDCO intends to go for Security audit of IT infrastructure to simulate covert and hostile activities in order to identify specific exploitable vulnerabilities and to expose potential entryways to vital or sensitive data that, if discovered and misused by a malicious individual, could pose increased risk and liability to the organization, its executives and stakeholders. Security consultant has to perform security audit of online assets and company resources through the network, servers, applications from either the internal or external perspective, much like an intruder would. The results should clearly articulate security issues and recommendations. Scope of work Scope of work broadly includes: 1. Follow up audit of IT Systems of HUDCO - Data Center, LAN&WAN equipments, Servers, Database, Applications, intranet and websites etc. 2. Detailed report on implementable step by step solution suggested for fixing of vulnerabilities found within existing infrastructure/applications. 3. Suggest technology for procurements and/or upgrades with generic specifications and indicative budgeting and provide onsite support to HUDCO. 4. Revision of existing procedures and policies/to suggest new wherever required including Backup and Recovery procedures, Disaster Recovery etc. Detailed Technical Scope of work shall be as per Annexure –II. Eligibility Criteria:1. The bidder should be empaneled in CERT-In (Computer Emergency Response Team India) with atleast three professionals having any of two from CISA/CISM/CISSP/CEH certifications. The bidder should produce documentary evidence. 2. The bidder must have (i) at least five years’ experience in security consultancy and (ii) must have done earlier atleast two similar assignments of Security Audit in Central/State Government Offices/Courts/PSUs in last three years. Documentary evidence should be produced in support of experience. 3. The bidder must have annual turnover of not less than Rs.1Crores in each of past three financial years (2013-14, 2014-15, 2015-16) with a positive net worth. The bidder should produce documentary evidence. Page 2 of 19

4. The company should be Delhi based and should have office in Delhi/NCR from where this project shall be coordinated so as to avoid delay in execution. The professionals handling this project should be in Delhi /NCR during the project duration and they may have to attend HUDCO on one day prior intimation. A written confirmation on this behalf is to be given in the technical bid along with names, addresses and contact details of three professionals who shall be attached to this project. Vendors who are registered with MSME are welcome to participate in the bidding as notified by the Ministry of Micro, Small and Medium Enterprises, Govt. of India. No EMD shall be payable by these vendors provided that they are registered on the date of opening of this tender under single point registration scheme of NSIC/udyog adhaar/other schemes under MSME/other documented eligibility as per concerned state. Relaxations as announced by Govt. from time to time shall be applicable to these bidders subject to full compliance of other terms and conditions of the tender and contract. Product range mentioned in such certificate should be similar to requirements of this tender. Valid documentary evidence is to be submitted. Terms and Conditions: 1. The bids may be submitted in three sealed cover envelopes separately. The first envelope shall contain EMD, second envelope shall contain Technical bid and third envelope shall contain Financial bid. All the three envelopes shall be superscribed Tender Name and Last date clearly and sealed separately and put in a bigger envelope superscribed Tender Name and Last date clearly. Upon receipt of EMD amount, the technical bid shall be opened and after qualifying technically, and to the satisfaction of HUDCO, the financial bid of the successful bidders will be opened. L1 bid shall be evaluated as per Financial bid format based on Grand total bid value only. 2. The bids should be prepared strictly as per terms & conditions failing which the bid is liable to be rejected without any further notice. 3. The period of validity of bid for acceptance should be for six months from the closing date. Bid with less validity shall not be accepted HUDCO shall not entertain any request for escalation in cost/price on account of any reasons during the period of validity of bid. 4. Any modification in offer after the opening date will not be considered. 5. EMD Bid Envelope must accompany earnest money deposit of Rs. 15,000/- (Fifteen thousand only) by way of Draft/Pay order/Banker’s cheque in favour of HUDCO, payable at New Delhi. The bid without EMD will be considered as unresponsive and rejected. The MSME registered vendors, exempted from payment of EMD amount, subject to prevailing Office Memorandum issued by competent authorities from time to time, can submit the EMD exemption certificate. EMD or “EMD exemption certificate” envelope shall be put in the specified Tender Box at 1st Floor, HUDCO Bhawan, India Habitat Center, Lodhi Road, New Delhi – 110003, before the specified date. Only on receipt of valid EMD or EMD Exception certificate (if any), the technical bid shall be opened online which shall be Page 3 of 19

evaluated as per criteria given in the detailed tender document to the satisfaction of HUDCO. The financial bid of the only those bidders will be opened online, who are technically qualified. L1 bid shall be evaluated as per Financial bid format. 6. The EMD of unsuccessful Vendorshall be refunded to the bank account whose details are mentioned in the technical bid within period of sixty days from date of award of contract. It is the sole responsibility of the Vendorthat following bank details provided along with EMD Bid are complete and correct: 1. 2. 3. 4. 5. 6. 7.

Bank Name Bank A/c Number Branch Name Branch Tel. No: Branch Address: Account type: CC/OD (SB/CA/cash credit with code 10/11/13) Bank Code: (9 Digit code number of bank & branch) PAN No Service Tax No: TIN No. :

7. EMD of successful bidder will be converted into security deposit. A sum @10% of the gross amount of the bill shall be deducted from each running bill as security deposit till the sum amounts to 5% of the ordered value of the work. Complete 5% amount may also be deducted from first bill itself, if agreed by vendor. EMD deposited by you will be covered towards partial fulfillment of Security deposit. You shall also furnish Performance Bank Guarantee (PBG) issued by a scheduled commercial bank in favour of HUDCO, which shall be equal to 5% of total order value within 15 days of start of contract. The PBG shall be initially be valid for the period of one year the date of its issuance by the bank. In case the time of contract gets enlarged, you shall get the validity of BG extended to cover such enlarged time. No interest will be paid on the security amount. The security amount shall be released only after successful completion/satisfactory execution of the contract after the end of support period. 8. In the commercial bid, the rates quoted, should clearly specify whether service tax, sales tax and central sales tax/VAT or excise duty are applicable and, if so, applicable rates may be indicated. In case, this information is not indicated in the bid, it would be presumed that the rates quoted are inclusive of all type of taxes/duties. In case there is increase/decrease in service tax during the tenure of contract, the amount as per actual service tax during the tenure of payment shall be paid. 9. The rates quoted by the Vendor in the financial bid are final and no adjustment of the contract price shall be made on account of any variations in costs or any other cost component affecting the total cost in fulfilling the obligations under the contract. The Contract price shall be the only payment, payable by HUDCO to the Vendor for completion of the contractual obligations by the Vendor under the Contract, subject to the terms of payment specified in this contract. The price shall be inclusive of all taxes, duties, charges and levies as applicable. Statutory deductions as per law e.g. Income tax etc. shall be made. Page 4 of 19

10. During selection process HUDCO reserves the right to seek clarification or verification of any information mentioned in the bid/supplied by the Vendor and/or a presentation of proposed solution before finalizing the award of work. 11. Bids received late, will not be considered. Postal/other delay shall not be considered. 12. HUDCO reserves the right to reject any or all bids and/or alter the quantity without assigning any reason. 13. Bid will be disqualified, if at any point during the selection process, it is found that information provided is incorrect. 14. Bids shall be rejected out-right and will not be evaluated for failure of Vendor to meet the dead-line, failure to provide all information as specified above and failure to accept aforesaid terms and conditions. 15. Bid with vague and indifferent expression such as “subject to ……” shall not be accepted. Bid with any condition including conditional rebate shall also be rejected. Overwriting/over-typing or erasing of figures is not allowed and shall render the tender invalid. 16. Bid received telegraphically or by fax or by e-mail shall not be entertained. 17. Prospective Service Providers may visit HUDCO to see the current setup before preparing their bid during working day. 18. Payment Terms :- Payment shall be released subject to meeting all Terms and conditions of the job order as per following schedule:ACTIVITY 1) Submission of all draft reports mentioned in scope of work and explaining clarifications/solutions to concerned. 2) Submission of Final reports and acceptance by HUDCO 3) After one month of release of 2) above

PAYMENT 40% 50% 10%

19. Intellectual Property Rights of all deliverables shall lie with HUDCO. Vendor will not copy or disclose any information related to HUDCO documents/about the project whatsoever with any third party. 20. If during the subsistence of this tender and after award of contract or thereafter, any dispute between the Parties hereto arising out of or in connection with the validity, interpretation, implementation, material breach or any alleged material breach of any provision of this Contract or regarding any question, including as to whether the termination of this Contract by one Party hereto has been legitimate, the Parties hereto shall endeavor to settle such dispute amicably and/or by Conciliation to be governed by the Page 5 of 19

Arbitration and Conciliation Act, 1996. The attempt to bring about an amicable settlement is considered to have failed as soon as one of the Parties hereto, after reasonable attempts; which attempt shall continue for not less than thirty (30) days, gives thirty (30) days’ notice to refer the dispute to arbitration to the other party in writing. In case of such failure the dispute shall be referred to an authority designated by the CMD of HUDCO for the purpose of the above clause who shall act as the sole Arbitrator for settlement of such dispute. The Arbitration proceedings shall be governed by the Arbitration and Conciliation Act, 1996 and shall be held in Delhi, India governed by the substantive laws of India. 21. If Vendor fails to execute the order, then security amount and or/Bank Guarantee will be forfeited at sole discretion of HUDCO and the company will be debarred from dealing with HUDCO in future. 22. Vendor will not further sub contract the prime responsibilities to third parties without written consent of HUDCO. The responsibility to execute all the clauses of contract lies with the vendor only and vendor is fully responsible for contract execution. 23. Continuance of the contract shall be subject to satisfactory performance of the Vendor and it may be cancelled at any time without assigning any reason for the same the Vendor will be paid for the actual work completed at that time. The decision of the HUDCO in this regard shall be final and binding. 24. It will be responsibility of the Vendor to make statutory payments as per prevailing laws to their personnel. HUDCO may ask for certification that all statuary requirements regarding payments to employees are compiled by the Service Provider. Vendor shall be responsible for the conduct of the manpower deputed and HUDCO may request for their replacement without explaining any reason if conduct/ performance is not acceptable to HUDCO. 25. Vendor will maintain the confidentiality of the information being accessed by him. The Vendor shall not be allowed to take away any file/record etc. either in the shape of hard copy or soft copy and the work is to be carried out in the HUDCO premises itself. It’ll be the responsibility of Vendor to take care of document’s security. The Vendor will ensure that the documents/files/resources handed over to it are kept in proper condition and no document is soiled/lost/misplaced/damaged. In case of loss of any document’s appropriate penalty shall be imposed on the Service Provider. This may result in forfeit of security deposit and/or bank guarantee and/or stopping of partial/complete payment/legal action depending on the nature of loss, decision of HUDCO in this regard shall be final and binding on the Service Provider. Successful vendor will have to sign Non-Disclosure agreement with HUDCO before accessing HUDCO’s data. 26. The vendor has to complete the job on turnkey basis and has to arrange anything and everything required to complete the work. 27. The successful bidder shall be fully responsible for meeting the HUDCO’s requirements as mentioned and to the satisfaction of HUDCO. Bidder has to submit the draft reports in not Page 6 of 19

more than 2 months and final reports are to be submitted within one month of receiving comments of HUDCO on draft reports. Vendor has to provide professional support after submitting draft reports as and when required by concerned officials of HUDCO to understand the technicalities involved in draft/final reports and to explain the solution and to provide sample code/scripts/configuration etc and other technical help/guidance to fix those vulnerabilities. Following is the minimum number of days to be spent in HUDCO:• •

Clarifications/guidance on draft reports: two months Clarifications/guidance on Final reports: one month

Duration can be in one go or in parts as mutually agreed so that normal functioning of office is not affected. Our target shall be to complete the whole process within four months of issue of order however entire scope of work is to be executed as per terms and conditions of job order. 28. A flat penalty of 1% of total order value per week shall be charged beyond the agreed time as defined in clause 26subject to maximum of 20% of total order value. However, delay due to unforeseen reasons and on part of HUDCO shall not be counted. Decision of HUDCO in this regard shall be final and binding. 29. If vendor fails to execute the order, then security amount and or/Bank Guarantee will be forfeited at sole discretion of HUDCO and the company will be debarred from dealing with HUDCO in future. Your bid should be sent in a sealed cover containing all the three envelopes as stated above super scribing “Security Audit for IT Systems and suggesting DR Policy” and should be deposited in tender box available at 1st Floor at above address on or before the last date which is 15/02/2017, 3.00PM. For and behalf of HUDCO (Dr. Satpal Singh) Senior Manager(IT)

Page 7 of 19

Annexure –I TENDER FOR Security Audit for IT Systems Performa for Technical Bid 1. Name of the Company ____________________________________________ 2. Status (Private/PSU/Others) _______________________________________ 3. Date of Establishment _______________ Present Manpower ____________ 4. Turnover during last three years should not be less than Rs.1 Crore (Attach documentary evidence) 5. Experience of bidder in execution of similar kind of jobs. (Specific details as per tender conditions to be enclosed) 6. Address and contact details of office in Delhi/NCR along with three professionals handling this project. 7. Details of Bank Account (For release of EMD/Security Deposit/Payments) 1. 2. 3. 4. 5. 6. 7.

Bank Name Bank A/c Number Branch Name Branch Tel. No: Branch Address: Account type: CC/OD (SB/CA/cash credit with code 10/11/13) Bank Code: (9 Digit code number of bank & branch) PAN No Service Tax No: TIN No. :

8. Other documents as per tender document. 9. This is confirmed that the company is fully experienced and shall execute the assignment as per scope of work as mentioned in Annexure –II and agrees to all terms and conditions as per tender document

Authorized Signature with seal Contact No Email id Fax No Page 8 of 19

SCOPE OF WORK

Annexure - II

Security consultant has to perform security audit of online assets and company resources through the network, servers and applications, from either the internal or external perspective, much like an intruder would. The results should clearly articulate security issues and recommendations. This audit is to envisage to identify gaps & suggest remedies solution which would be implemented in the current scenario of HUDCO. 1.0 Our Expectations from Security Audit Services • • •

• • • •

Identify the new threats facing organization’s information assets so that HUDCOcan quantify information risk and provide adequate information security expenditure. Use of latest tools like SAINT, Acunetix or similar tools for vulnerability management, penetration testing and compliance Reduce organization’s IT security costs and provide a better return on IT security investment (ROSI) by identifying and resolving vulnerabilities and weaknesses. These may be known vulnerabilities in the underlying technologies or weakness in the design or implementation. Provide organization with assurance – a thorough and comprehensive assessment of organizational security covering policy, procedure, design and implementation. Adopt best practices by conforming to legal and industry regulations. Provide guidance to the System Administrators and software developers for implementation of security Policy and Standards and audit the activities performed, report the compliance and exceptions of Security policy within the existing framework. Suggestions for Disaster Recovery Policy for HUDOC as per new IT setup and also for future requirements.

The vendor is required to recommend the correct course of action to plug all the known vulnerabilities and should provide detailed report on implementable step by step solution/procurement of new products suggested for fixing of vulnerabilities found in infrastructure/applications.Vendor will conduct security assessment of network infrastructure, applicationsand provide the deliverables as listed in deliverables section. Vulnerability assessment and penetration testing has to be conducted with the help of automated tools, few custom scripts and by executing manual attacks which should provide comprehensive list of vulnerabilities which should be verified by the vendor for eluding false positives/negatives and finally deliver an executive and technical report with recommendations to fix the issue(s). Vendor has to provide professional support after submitting draft reports as and when required by concerned officials of HUDCO/vendors authorized by HUDCOto understand the technicalities involved in draft/final reports and to explain the solution and to provide sample code/scripts/configuration etc. and other technical help/guidance to fix those vulnerabilities. Following is the minimum number of days to be spent in HUDCO:Page 9 of 19

• •

Clarifications/guidance on draft reports : one month Clarifications/guidance on Final reports: two months

1.1 Current IT Infrastructure setup at HUDCO Following is the current IT Infrastructure setup at HUDCO S.No Description Old IT Infrastructure at HUDCO Corporate Office* E450 Enterprise SUN Server with oracle 8i database server, 18GB 2 HDD and 72 1 GB 2 HDD E450 Enterprise SUN Server with oracle 9ias Application Server, 18GB 2 HDD 2 and 72 GB 2 HDD 3 SUN Storedge 3310 - RAID 5 with 6 HDD 72 GB each 4 Oracle Database - total <100 GB> size. Total oracle concurrent users - 45 Airtel VPN bandwidth is 2 x 4Mbps at HUDCO DC at Delhi thru which all RO are 5 connected to HO with bandwidth of 512 Kbps to 1 Mbps Intranet server: - intel Core i3, 3.10GHz, 2GB RAM, Window Server 2003 Standard Edition SP 1, 100 GB HDD, 10GB Data, Net Framework (ASP.NET & 6 C#), Oracle 10g 7 Core Routers CISCO 3845 8 Routers Make: Cisco 2821 9 Switch 2960 without fibre, 24 UPT ports 10 Switch 2940 8 ports 11 Cisco PIX 515 E R BUN FIREWALL 515E upgrade 12 CORE Switch Cisco Catalyst 6509E 13 Distribution Switch Type 1 CISCO Catalyst 2960 14 Distribution Switch Type 2 CISCO Catalyst 2940 15 Netgear Wi-Fi Routers 16 Routers at ROs - Cisco 2821 17 Switches at ROs New IT Infrastructure at HUDCO Corporate Office* 18 Servers – Lenovo x3650M5 19 Storage – NetApp FAS 2554 20 Backup Server - Lenovo x3650M5 21 Windows 2012 Data Center Edition OLwith Software Assurance Pack (SAP) 22 Windows 2012 Server CAL (User CALs) OL with Software Assurance Pack (SAP) 23 Core Switch (HP 5900 AF Switches) 24 Distribution Switch (HP 5500 Hi Series) 25 Edge Switch (HP 5130 24G PoE Switch) 26 Routers-For Internet (HP MSR3024 AC) 27 Routers-For MPLS (HP MSR3024 AC) 29 UTM-For Internet (Cyberoam CR200ING) 30 UTM-For MPLS (Cyberoam CR500ING XP) 31 Link Load Balancers – Radware Linkproof 1008 MultiWAN Switch 32 Network Management Solution (HP Intelligent Network Center Software) 33 Branch Routers Make: HP MSR930

Qty 1 1 1 1 1 1 2 2 8 61 1 1 10 20 18 21 21 2 1 1 2 850 2 11 11 4 2 4 2 2 1 23

Page 10 of 19

* Above old IT Infrastructure is being replaced with new IT Infrastructure 1.2 Approach & Methodology Security Consultant has to provide a complete view of the IT infrastructure security. Testing has to be typically be performed from a number of network access points, representing each logical and physical segment. Testing has to be conducted with the help of automated scanners, custom scripts followed by in-depth manual security testing against the applications. Vendor should provide adequate measures to overcome potential security threats to the network, both internal as well as external, such as Security violations, Interception, Spoofing, and Denial of Service attacks, Virus attacks, etc.A detailed report on implementable step by step solution suggested for fixing of vulnerabilities found within existing infrastructure/applications is to be submitted. Any products required for executing this assignment are to be arranged during the period of contract by the vendor only. 1.3 Security Assessment of Servers and Data Center Assessment has to cover full range of the threat spectrum, from the presence of an antivirus engine to the presence of malicious code to vulnerabilities that might enable denial of service and other sophisticated attacks for around 10 servers of Solaris/Windows. Vendor has to follow robust methodologies, use software that carries the most up to-date vulnerability research available, and they must possess creative instincts to manipulate the tools in both typical and unconventional ways. The vendor has to deliver clear, unambiguous results that address both the technical and business objectives as per existing Security policy of HUDCO. The vendor’s approach towards security audit of server requires the following checks, apart from the vendors specific methodology:1. Port Scanning 2. Identifying vulnerabilities in operatingsystem/services/configuration/database/application server/webserver 3. User access management as per the roles (least privilege rule) 4. Duplicate and dummy user accounts will be eliminated if exists 5. Access logs are watched to find any malicious activity 6. User account rules are verified as per the policy 7. Password management policies are verified and applied as per the Security Policy. 8. File system security of the OS (file integrity checks) Page 11 of 19

9. Login process and Remote Access to the servers 10. Audit of data center procedures as per industry standards eg access control system reports etc and suggesting the procedures and products without brand names to fill the gaps 11. Other items as per best practices 12. Recommendations and Reporting 1.4 Application Security Methodology Vendor has to perform Application Testing to identify and investigate the extent and criticality of vulnerabilities found in web browser and applications including front-end and backend systems. Activities range from injections and cross-site scripting to decompiling code and HTML proxy manipulation. For application security services, vendor has to follow OWASP (Open Web Application Security Project) guidelines to accomplish web application security assessment and assess applications from all the aspects, requires the following checks, apart from the vendors specific methodology: a. b. c. d. e. f. g. h. i.

Authentication Authorization Session Management Data Validation Error Handling/Information Leakage Database Cryptography Configuration Management Error Handling

1.5 Following existing applications are to be audited and suggestive actions are to be explained:1. Loan Accounting application 2. Financial Accounting application 3. Scheme Information System 4. Payroll 5. HUDCOWebsites -A safe to host certificate is to be issued for following domains: i. www.hudco.org ii www.myhudco.org iii www.apmchud.com Page 12 of 19

Any temporary staging server, IP address and other tools if required for the same are to be arranged by the vendor. 6. HUDCO Intranet portal and employees portal 7. HR Information system

1.6 Firewall/UTM Audit and Configuration Analysis Objective of Firewall/UTM Audit and Configuration Analysisshall be to check whether it accepts or deny packets to assure that only packets, which are expressly permitted, be allowed into the network, rest all should be denied. It controls traffic flow from enterprise network and Internet. Vendor has to use tools such as hping2 and firewall/UTM or other tools to test the firewall/UTMrule base. Specific checks that has to be carried out includes but not limited to : •

Check for default configuration of Firewall/UTM

•

Response to various protocols like TCP, UDP, ICMP, etc.

•

List of open ports available for external users.

•

Attempt to determine the rule base and verify for:








Admin access Lockdown rule Internal user External user Web server access POP3 access to mail server Access to ICQ connections

•

Logging

•

Audit for Authentication mechanism

•

Audit for Encryption method

•

Third party software used with Firewall for additional services

•

Firewall/UTM failure mode – fail open or fail secure

•

Ease of recovery and backup of Firewall/UTM

1.7 Audit of Routers, Switches and Video Conferencing System Page 13 of 19

23 Regional/Development offices(RO/DO) of HUDCO are attached to Corporate office (CO) through WAN and individual offices are connected throughLAN using CISCO and HP routers and switches. Vendor has to analyze configurations for:           

Latest IOS Access control lists that restrict packet flow Filtering rules that restrict traffic destined for the router Check authentication methods for remote and local access and determine the adequacy of these controls Determine password strength for configuration users (must use enable MD5 passwords) Determine whether per-port security is enabled to eliminate unauthorized spanning, where applicable (Cisco switches) Examine routes, especially static ones, for security concerns Determine SNMP configuration on network elements (read, write community strings, etc.) Examine the adequacy and security of logging configurations Location of offline configuration files and allowed access Any other audit process as per standards

Security Audit of Video Conferencing System having following equipments:Old equipments: 1) Tandberg MCU 4501 9 port 4mbps per port without loss of port at CO 2) Tandberg C20 plus HD Group Video Conferencing System with Camera Mic at CO 3) Tandberg VCS & TMS (Management, Scheduling, Gatekeeper sw and hw) at CO 4) Integerated desktops (Tandberg 1700 MXP) at RO These equipemnts are under replacement with a cloud based solution having recording on codec, array of mics, DSP, software on cloud. The vendor shall be provided with the updated details at the time of audit. 1.8 Audit of VPN Company is using Airtel ‘s MPLS VPN. The audit of VPN may include if feasible without asking any access rights from service provider, the following:1. VPN use is to be controlled using either a one-time password authentication such as a token device or a public/private key system with a strong passphrase. 2. When actively connected to the corporate network, VPNs will force all traffic to and from the PC over the VPN tunnel: all other traffic will be dropped. 3. Dual (split) tunneling is NOT permitted; only one network connection is allowed. 4. Any other requirement as per standard practice 1.9 Audit of Network Page 14 of 19

HUDCO WAN connects Regional Offices with Corporate Officethru Airtel ‘s MPLS VPN . The audit of Network will include, but not limited to the following steps:Gather information through documentation, and conduct a questionnaire session with network administrators to examine the business and technical requirements of the current network architecture to ensure a proper balance between functionality, cost and security Vendor has to prepare a network security architecture document and list the monitoring, detection and suppression capabilities required across network. It also has to include plans for future network expansion to mitigate potential security risks. Following tests may be carried out if required:• • • • • •

Network performance testing using automated tools (including suggestions forincreasing the performance) Analysis at link level Analysis at application level Review of appropriateness of the network topology and bandwidth Review of adequacy or otherwise of the hardware installed. Network stress / Load test

2.0 Audit of Backup, Recovery,Storage Procedures Audit of backup and recovery mechanisms and procedures for the following has to be done: a) b) c) d) e) f) g)

Operating System Database Server Mail Server Configuration files of network devices Network Attached Storage(NAS)/Tape Backup Audit of appropriate policies and procedures Audit to check all the known vulnerabilities

If the existing procedures are found inappropriate, vendor has to suggest revisions. Vendor has to suggest an implementable DR policy in line with existing Security Policy of HUDCO/revisions suggested. 2.1 Deliverables HUDCOexpressly stipulates that the Consultant’s selection under thisRFP is on the understanding that this RFP contains only the principal provisions for the entire assignmentand that delivery of the deliverables and the services in connection therewith are only a part of the assignment. 1. Management Report Page 15 of 19

A high-level executive summary report highlighting the key risk areas and the impact from the resulting vulnerabilities after a successful audit of IT Infrastructure and the step wise solution 2. Technical Vulnerability and solution Report A detailed report about security issues discovered, CVE,CWE Bugtraq and vendor references for these wherever available, recommendation to address these issues as step by step implementable solution in strictly in following format IN THREE CATEGORIES:CATEGORY A: Recommended Mitigation Techniques using existing infrastructure where no expenditure is involved: Vulnerability

Severity

IMPACT

High/medium/low CATEGORIES*: Network/Database/Software Application/ Hardware/OS/

Recommended Mitigation Techniques within existing infrastructure

CATEGORY B: Recommended Mitigation Techniques using New Tools with their details with step by step implementable solution Vulnerability

Severity

IMPACT

High/medium/low CATEGORIES*: Network/Database/Software Application/ Hardware/OS/

Requirement of New Tools for interim period with step by step implementable solution till ERP implementation

CATEGORY C: NO INTERIM SOLUTION POSSIBLE, NEW TOOLS FOR PERMANENT SOLUTION ARE MANDATORY *One Report should be provided for each category and for each software application 3. Best Practices Documents Guidelines based on industry standards and regulations for compliance with IT Security standards and best practices to be given for Network/Database/Software Applications/ Hardware/OS separately. 4. Suggestions for improvement of existing Security Policy, conversion of policies to procedures wherever required. 5. Safe to host certificate for HUDCO portals as per para 1.5 above 6. Suggestions for Disaster Recovery Policy for HUDOC as per new IT setup and also for future requirements. Page 16 of 19

Annexure –II TENDER FOR Security Audit for IT Systems Performa for Financial Bid S.No

Total Value of contract including all expenses whatsoever

Taxes

Total Amount

1

Amount in words. ___________________________________________________________ No correction/over writing/misprinting/addition is allowed.

Signature & Name Designation & Seal of Company Contact No Email id

Page 17 of 19

Annexure - III PROFORMA OF BANK GUARANTEE FOR CONTRACT PERFORMANCE GUARANTEE BOND Ref.: ___________________

Date:______________

Bank Guarantee NO. _______________________________________________________ To Executive Director (IT) Housing & Urban Development Corporation Ltd. HUDCO Bhawan, India Habitat Centre, Lodhi Road, New Delhi - 110 003 Against contract vide Advance Acceptance of the Bid No. _______________________ dated _____________ covering _______________________________________ (hereinafter called the said 'contract') entered into between HUDCO and _____________________________ (hereinafter called the Vendor) this is to certify that at the request of the Vendor we ________________________________ Bank Ltd., favour of HUDCO, the amount of ____________________________________________ (write the sum here in words) to indemnify and keep indemnified HUDCO against any loss or damage that may be caused to or suffered by HUDCO by reason of any breach by the Vendor of any of the terms and conditions of the said contract and/or in the performance thereof. We agree that the decision of HUDCO, whether any breach of any of the terms and conditions of the said contract and/or in the performance thereof has been committed by the Vendor and the amount of loss or damage that has been caused or suffered by HUDCO shall be final and binding on us and the amount of the said loss or damage shall be paid by us forthwith on demand and without demur to HUDCO. We _________________________________ Bank Ltd, further agree that the guarantee herein contained shall remain in full force and effect during the period that would be taken for satisfactory performance and fulfillment in all respects of the said contract by the Vendor (stipulated date of completion plus sixty days beyond that) i.e. till _____________ hereinafter called the said date and that if any claim accrues or arises against us _____________________________________________________ Bank Ltd, by virtue of this guarantee before the said date, the same shall be enforceable against us _______________________________________ Bank Ltd, notwithstanding the fact that the same is enforced within six months after the said date, provided that notice of any such claim has been given to us _______________________________________ Bank Ltd, by HUDCO before the said date. Payment under this letter of guarantee shall be made promptly upon our receipt of notice to that effect from HUDCO. It is fully understood that this guarantee is effective from the date of the said contract and that we ________________________________ Bank Ltd, undertake not to revoke this guarantee during its currency without the consent in writing of HUDCO. Page 18 of 19

We undertake to pay to HUDCO any money so demanded notwithstanding any dispute or disputes raised by the Vendor in any suit or proceeding pending before any court or Tribunal relating thereto our liability under this present bond being absolute and unequivocal. The payment so made by us under this bond shall be a valid discharge of our liability for payment there under and the Vendor shall have no claim against us for making such payment. We ________________________________________________ Bank Ltd, further agree that HUDCO shall have the fullest liberty, without affecting in any manner our obligations hereunder to vary any of the terms and conditions of the said contract or to extend time of performance by the Vendor from time to time or to postpone for any time or from time to time any of the powers exercisable by HUDCO against the said Vendor and to forebear or enforce any of the terms and conditions relating to the said contract and we, _________________________________ Bank Ltd., shall not be released from our liability under this guarantee by reason of any such variation or extension being granted to the said Vendor or for any forbearance by HUDCO to the said Vendor or for any forbearance and/or omission on the part of HUDCO or any other matter or thing whatsoever, which under the law relating to sureties, would, but for this provision have the effect of so releasing us from our liability under this guarantee. This guarantee will not be discharged due to the change in the constitution of the Bank or the Vendor. Date

___________________

Place

___________________

Witness ___________________ Name__________________

Signature _____________________ Printed

(Bank's common seal)

Page 19 of 19