Punjab & Sind Bank (A Government of India undertaking)

Transcription

1 Punjab & Sind Bank (A Govt. of India Undertaking) Punjab & Sind Bank (A Government of India undertaking) Pre-Bid Query Clarifications Dated: RFP No. PSB/HOIT/RFP/94/ , Dated: Request for Proposal for Selection of Security System Integrator to set up Security Operation Centre (SOC) for Bank PUNJAB & SIND BANK HO IT Department 21, Rajendra Place, New Delhi

2 Pre Bid Queries Clarifications - Tender Ref No. PSB/HOIT/RFP/94/ , Dated: Request for Proposal for Selection of Security System Integrator to set up Security Operation Centre (SOC) for Bank Sr. No. Page No. Clause Number RFP Clause Bidders Remark BANK'S CLARIFICATION Subcontracting Period of Contract Payment Terms Monitoring, Reporting and Security Dashboard: Service Levels during Implementation Phase The bidder shall not subcontract or permit anyone other than its personnel to perform any of the work, service or other performance required of the bidder under the contract. Note: In addition to the above points, during the contract period the vendor shall be responsible for implementing and complying with future recommendations, guidelines, and directions of regulatory & statutory, and other bodies (viz. RBI, IBA, NCIIPC, CERT-In, MoF, IDRBT etc.) to an existing functionality of the deliverables provided under this RFP, without extra cost to the Bank On Delivery 50%, On Installation 20%, Integration, 20%, 10% after 6 Months Service desk should be configured, maintained and updated to record all agreed upon SLA breaches. Bank should be able to generate reports to validate the service availability through comprehensive web-based portal (dashboard). The portal shall be accessed by Bank users with individual login credentials A maximum penalty of 20% of the value of total Implementation Cost of the delayed solution/ service would be levied for implementation delays. There are Services(such as Anti Phishing, Mobile Application Review etc.) which will require subcontracting from OEM directly apart from Main Components The bidder can subcontract or permit anyone other than its personnel to perform any of the work, service or other performance required of the Bidder under the contract with the prior written consent of the Bank. For implementing and complying with future recommendations, guidelines, and directions of regulatory & statutory, and other bodies (viz. RBI, IBA, NCIIPC, CERT- In, MoF, IDRBT etc.) 1. All Configuratoin relatred changes related to future recommendation and Guidlines will be covered at free of cost. 2. In case any Hardware Software, License, Subscription, OEM Services etc required to fullfill the guidlines, will have to be borne by the Bank. For implementing and complying with future recommendations, guidelines, and directions of regulatory & statutory, and other bodies (viz. RBI, IBA, NCIIPC, CERT- In, MoF, IDRBT etc.) 1. All Configuratoin relatred changes related to future recommendation and Guidlines will be covered at free of cost. 2. In case any Hardware Software, License, Subscription, OEM Services etc required to fullfill the guidlines, will have to be borne by the Bank We request bank to release final 10% payment at the time of sign off as already Bidder is submitting the PBG equivalent to 10% of Contract Value We request bank to release final 10% payment at the time of sign off as already Bidder is submitting the PBG equivalent to 10% of Contract Value Considering the volume of the Tickets pls confirm bank already has a service desk tool If Yes, we seek your confimrattion whether SIEM shall be integrated with the bank service desk. In case No, pls confirm the service desk tool to be supplied and the technical specificaiton of the service desk tool. Considering the volume of the Tickets pls confirm bank already has a service desk tool If Yes, we seek your confimrattion whether SIEM shall be integrated with the bank service desk. In case No, pls confirm the service desk tool to be supplied and the technical specificaiton of the service desk tool. Standard Penalty Capping all across BFSI industry is 10% We request bank to cap the penalty value to 10% of delayed solution We request the bank to chnage the clause to The bidder shall provide SOC solutions/ services with its own personnels, except 3rd party services like Anti-Phishing. Bank does not have Service Desk Tool. The bidder shall provide service desk tool as per the scope of the RFP. (Like- for SLA Monitoring & Calculation) Bidder should have successfully implemented SIEM with integrated Core Application in at least one BFSI organization in India." 6 68 EC Clause 13 Bidder/OEM should have successfully implemented SIEM in integration with Core Banking System (Finacle). In case of OEM s experience, the OEM shall own the complete implementation responsibility of SIEM. Or "Bidder/OEM should have successfully implemented SIEM and integration with Core Banking System (Finacle). " Supporting Documents Required: A Confirmation/Completion Certificate from the client. An undertaking letter from the respective Bidder/OEM for implementing the SIEM in the BFSI.

3 7 68 EC Clause 14 Bidder/OEM should have successfully implemented WAF, PIM, and Anti- APT. In case of OEM s experience, the OEM shall own the complete implementation responsibility for the solution whose proof submitted by OEM (WAF, PIM, and Anti-APT). We request the bank to chnage the clause to Bidder/OEM should have successfully implemented WAF, PIM, and Anti- APT. Supporting Documents Required: A Confirmation/Completion Certificate from the client. An undertaking letter from the respective Bidder/OEM for implementing the solution Limitation of Liability Neither party shall be liable to the other for any special, indirect, incidental, consequential (including loss of profit or revenue), exemplary or punitive damages whether in contract, tort or other theories of law, even if such party has been advised of the possibility of such damages. The total cumulative liability of Bidder arising from or relating to the Agreement shall not exceed the amount paid to the successful Bidder by the Bank during the preceding six (6) months period (as of the date the liability arose). We request you to consider the following industry standard Limitation of Liability ( LOL ) clause under the RFP: Neither party shall, in any event, regardless of the form of claim, be liable for any indirect, special, punitive, exemplary, speculative or consequential loss or damages. Subject to the above and to the extent allowed by local laws, the maximum aggregate liability of each party under this proposal for any claim or series of claims under any relevant purchase order regardless of the form of claim, damage and legal theory shall not exceed the annual value of the Contract Chapter Service Levels during Implementation Phase A maximum penalty of 20% of the total project cost would be levied for implementation delays in the bank per product/service A maximum penalty of 20% of the the value of total Implementation Cost of the delayed solution/ service would be levied for implementation delays in the bank per product/servic Service Levels during Operations Phase SIEM Solution Uptime & Other Solution Uptime 11 Penalty SLA Penalty Request the bank to consider the below suggestion: The maximum penalty in all categories will not exceed 10% of monthly ops value. Request the bank to consider the below suggestion: "The overall SLA penalty on SOC operations will be capped at 10% of the quarterly billing. 12 Total Penalty Payment Terms For SIEM, WAF,PIM & An PAM: - 50% on delivery - 20% on installation & configuration - 20% on Implementation Closure 10% 6 month post sign off WAF should be able to restrict the number of files in a request The Web application firewall should be able to integrate with web application vulnerability assessment tools (Web application scanners) The following report formats are deemed of relevance: Word, RTF, HTML, PDF, XML, etc. The maximum Total Overall Penalty levied during entire tenure of contract should not exceed 10% of Total Value of Contract Payment Term Revision Required since Bidder have to pay upfront to the OEM for the product with Warranty. For SIEM, WAF,PIM & An PAM: - 70% on delivery - 20% on installa on & configura on - 10% on Implementation This feature is available with particular OEM and request you to remove the same so that Fortinet can also participate in this bid. There are number of Vulnerability assessment tools are available in the market. It is very hard to integrate with all of them. It will help us to confirm with which Vulnerability tool we need to integrate. Report formats in XML and RTF are available with particular OEM and request you to remove the same so that Fortinet can also participate in this bid. So would request you to please remove XML and RTF. The requirement is Preferable (P) in the RFP. Presently Bank is using VA Tool:- McAfee Vulnerability Manager. However, the successful bidder shall integrate with any other VA Tool as per Bank's future requirement without any cost to the Bank The solution should support virtual environments Please clarifiy whether the requirement is WAF on VM? Already clarified. Refer Sr No The solution should support all operating systems and their versions Please clarify whether the requirement is "WAF shall support the real server including but not limited to Windows, AIX,Unix, Linux, Solaris, HP Unix following OS ie Window, AIX, Unix, Linux, Solaris, HP Unix"? The solution should provide following capabilities: URL Encryption Whether the objective is for masking? If no, pls expedite the url encryption requirement. The solution should support both inline and out of the band mode. Please clarify Shall we put sensor inline and sandbox out of the band mode? The URL Encryption should completely secure against the URL attack surface through URL encryption. For example- it should completely hide both the path and the parameter name and value to ensure a malicious actor can not manipulate the URL.

4 Sandboxes must support multiple operating systems and for both 32-bits and 64- bits OS. Bank currently has: Solaris, Windows, & Redhat Linux operating systems. Solaris and Linux features are available with particular OEM, Would request you to remove Solaris and Linux so that Fortinet can also participate in this bid The solution should support Windows XP, Windows 7, Windows 8, Windows 10 Microsoft 2003, Microsoft 2008, Solaris10, Redhat 5 & above Linux operating environments for Sandboxing, this requirement should be based on virtual execution and should not be Hardware or chip based function. Following OS Window XP, Microsof 2003, Microsoft 2008, Solaris10, Redhat 5 & Linux features are available with particular OEM, Would request you to remove the same so that Fortinet can also participate in this bid The solution should support windows XP, Windows 7, Windows 8, windows 10 Microsoft 2003, Microsoft 2008 (32 bit & 64 bit OS), Solaris10, and RedHat 5 & above Linux operating environments for Sandbox file analysis. Solution should have option to upload custom sandbox image running in Bank s environment. Following OS Window XP, Microsof 2003, Microsoft 2008 (32 bit & 64 bit OS), Solaris10, Redhat 5 & Linux features are available with particular OEM, Would request you to remove the same so that Fortinet can also participate in this bid. 24 Payment Terms For any delays in the project installation/ implementation due to delays/ dependency from Bank side, the payment should be released as per the payment plan mentioned in the tender for each technology. Further, The bank will release the Payment defined under Delivery (50%), Installation(20%) & remaining 30% should be released against BG of equivalent value Request the bank to release the Payment including % of Payment defined under Delivery & Installation both when 3 months time from date of PO is over & implementation not yet able to be completed due to delay at bank's end Indemnity Indemnity The indemnity stated in the RFP is very wide thereby we request Bank that indemnity be restricted to third party claim(s) for bodily injury including death, damage to tangible property due to gross negligence and willful misconduct of Bidder and infringement of intellectual property rights only. 26 ANNEXURE - IX System should support denial of access protection by blocking repeated password failures on multiple administrator accounts in the directory. Please provide more clarification wrt funcionality requiried The Requirement is self explaionatory. 27 ANNEXURE - IX 28 ANNEXURE - IX 29 ANNEXURE - IX Support for database-maintained change log for event triggered updates Proposed requiremnt is not releated to PIM solution, kindly confirm Solution should identify what information has changed and synchronize only that information Proposed requiremnt is not releated to PIM solution, kindly confirm Should be able to handle access to mobile devices and applications Please provide more clarification wrt types and no of application and mobile device requiried

5 30 ANNEXURE - IX Support for password push to selectable target systems (i.e., the user or administrator is allowed to specify which systems have the same password Not considered as standard PIM reuirment, hence reuest deletion of clause 31 ANNEXURE - IX If the privileged users attempt to block session recordings, system should have the ability to raise appropriate alerts. since the recording happens centrly, the user can not stop the recording services, kindly confirm if our understanding is correct If session recording happens centrally then OK. In case priviledge user attempt to block session recording by any means then the system should raise alerts.

6 32 ANNEXURE - IX No of users Kindly confirm no of Admin user and target device need to manage by PIM solution Refer RFP Clause No 'Privilege Identity Management (PIM)', at Page No. 42 under section Monitoring. The clause mentions that-- "The devices in scope for PIM solution are same as that mentioned in SIEM Scope section. The total number of administrators for these devices is around 100. The solution should scalable up to 200 administrators. The bidder should provide cost for per 10 administrators." Need clarification 33 ANNEXURE - IX As indusrty practiceproposed solution shoud have capability of Command control on any SSH connections (Unix Systems, Network Devices, Security devices & any SSH based target systems) Need clarification 34 ANNEXURE - IX As industry best practice the proposed solution shall cater for live monitoring of sessions and manual termination of sessions when necessary,please confirm our understanding is correct Need clarification 35 ANNEXURE - IX As industry best practice the proposed solution should use built-in FIPS validated cryptography for all data encryption kindly confirm our understanding is correct 36 ANNEXURE - IX Additonal comments The propose Solution should have the capability to provide intelligence-driven analytics to identify suspicious and malicious privileged user & privilege account behaviour Additonal comments 37 ANNEXURE - IX The Cyber Attackers will target the Endpoints to penetrate the infrastructure, hence the solution should detect & Block the credentials theft from computers. Like Windows credentials theft (SAM, LSASS Harvesting) & Browser credential theft (IE, Firefox, Chrome) & Third party credentials theft (Win SCP, VNC),kindly confirm if our understanding is correct The Bidder should have experience of at least 1 BFSI (Banking, Financial services and Insurance) or Govt. Sector client in implementing/supporting a Security Operations Centre (SOC) in last 5 years in India. The Bidder should have implemented or provided/be providing SOC Security Services, including log monitoring and corelation, for minimum 1000 EPS to at least one (01) BFSI or Govt. Sector client in India. The proposed PIM solution must be in the Leaders Quadrant of latest published report by Forrestor/ IDC Request to allow Global Refrences since HPE is a Global Organisation Providing services to Clinets across Globe Request to allow Global Refrences since HPE is a Global Organisation Providing services to Clinets across Globe 41 The Bidder s organization should have ISO certification. Pls allow ISO certification 42 The proposed solutions (i.e. SIEM, WAF, PIM, and Anti-APT) should be Request to allow Global Refrences since HPE is a Global Organisation Providing successfully implemented in any BFSI or Govt. Sector client(s) in India. services to Clinets across Globe 43 Sub contracting 44 6 EC EC-6 The bidder should have experience of at least 1 BFSI (Banking, Financial services and Insurance )or Govt Sector client in implementing/ supporting a security Operation Centre (SOC) in last 5 years in India The Bidder should have implemented or provided / be providing SOC security services, including log monitoring and corelation for minimum 1000EPS to at least 01 BFSI or Govt Sector client in India Should be allowed with prior written consent from PSB though complete project deliverables & Scope is bidders responsibility The bidder should have experience of at least 1 BFSI (Banking, Financial services and Insurance )or Govt Sector client in implementing / supporting Manage Secirity Services in last 5 years in India The Bidder / OEM should have implemented or provided / be providing SOC security services, including log monitoring and corelation for minimum 1000EPS to at least 01 BFSI or Govt Sector client in India Already clarified, refer Sr. No EC-6 The Bidder should have implemented or provided / be providing SOC security services, including log monitoring and corelation for minimum 1000EPS to at least 01 BFSI or Govt Sector client in India The Bidder should have implemented or provided / be providing Manage security services, including log monitoring?manageing of logs to at least 01 BFSI or Govt Sector client in India

7 47 37 Training Provide training to the identified bank personnel/ SOC team on the product architecture, functionality and the solution design to be provided before the implementation of solution. Provide hands-on training to the bank personnel/ SOC team on SIEM policy configuration, alert monitoring, etc - post implementation. Please specify the no of attendees for this training No of attendees - 10 (approx.) SoC Monitoring The bidder should also quote for one 40 LED display screens at the SOC. One Screen may-not be sufficient. It is suggestedd to have a matrix of 4 screens with 1.8mm bezel with video switch and speakers. It should be a segregated room insulated with Noise as alerts may be sounded off. Kindly advise if an appropriate SOC Monitoring facility needs to be set-up? Storage Sizing WAF Deployment locations for WAF The Bidder shall deliver minimum Disk size while additional disk may be procured by the bank as per rate card in the BOM. At the time of delivery (to be delivered) 5000 sustained and 7000 peak EPS Scalability Up to sustained and peak EPS The prices of disk may vary year on year, hence request the bank to only consider minimum storage as part of the RFP and the unit cost to be considered seperately. As per industry best practice, the sustained EPS and peak EPS should be double (eg. If sustained EPS is mentioned at 10000, the peak EPS should be 20000). Hence the solution needs to be sized for alteast EPS from Day one. Request the bank to clarify the same. As a best practice, it is suggested to have a WAF for UAT enviornment. Kindly suggest Anti Advanced Persistent Threat System (Anti-APT) The solution should be sized for 50Mbps performance throughput. What is the scalability? How was this sizing arrived at? Please follow the Bank's requirement Risk Assessment The vendor shall conduct IT Risk Assessment of new products and services. Assessing the efforts for Risk Assessment of new products and services will be difficult. There may be requuirement for specialized skills for the same. The exercise may be very effective of we can quote per man-day rate for 3 categories of cosultant (Consultant, Sr Consultant and Principal Consultant). The effective mandays to be billed will be discussed and approval will be taken for the same Risk Assessment Vendor shall ensure continuous training and best practice updates to Bank Team. Please specify the no of attendees for this training and the frequency. Ideally once in a year or bi-annually should be sufficient No of attendees :- 10 (approx.) and frequency should be quarterly. However, frequency can change as per Bank's requirement Forensic Investigation The bidder shall have skill sets to provide fraud investigation on banks IT infrastructure and banking related processes. The bidder shall have skill sets to provide (change the word to facilitate) fraud investigation on banks IT infrastructure and banking related processes IS Audit of SOC Solution The selected bidder shall conduct the IS Audit of the complete SOC Solution through a CERT-In empanelled auditor agency within one year of issuance of Purchase Order. It is suggested that the Entity should be different/ independent agency. There maybe some bidders who are also empanelled with CERT-IN. Request to bank to consider the same The IS Audit should be conducted by an independent IS Audit agency empanelled with CERT-In Service Levels during Operations Phase SLAs for Solution Uptime This SLAs is as per the availabilty expectation of the solution specified for each individual solution component as mentioned in Service levels during SOC Operations Events along with action plan/ mitigation steps should be alerted to designated bank personnel as per the below SLA: Critical events within 15 minutes of the event identification. Update should be provided every 15 minutes till the closure of the incident Critical events can only be alerted in 15 minutes. Appropriate action plan/ mitigation steps suggestion require proper time-lines. It is very unreasonable of the bank to specify these time-lines. KIndly request the bank to consider the same and limit the scope to alerting only SIEM Solution Implementation Cost (In INR) Additional cost per 1000 EPS Is this related only to the scalability parameters specified in 3.2. Else there may be additional cost incurred on the hardware SIEM Solution Implementation Cost (In INR) Tier III Storage Request the bank to consider only minimum storage i.e of 10 TBs. There can be unit cost linked to a disk with specific size & not be TB of disk Anti Phishing Services Implementation Cost(In INR) Costing for DC or DR SOC Resource Cost Fixed SOC resources for 5 years This is related to service for monitoring bank's URL. There may be no specification to provide a DC or DR costing. Kindly request the bank to consider appropriate costing template The No of SOC resources can very of the no of EPS, alerts per day increase and there may be additonal resources required. Eg. Minimum suggested L2 should be 4 and L3 should be 2 after 3 years. Request the bank to consider year on year pricing for the SOC resource as the cost of resource may vary as to when the additonal resource may be required by the Bank Bank is hosting website at DC as well as at DR Site. Though, the Bidder shall put commercials under DC section only. It means that commercials shall be on per hosted website (i.e. domain name) and not based on the number of instances of the same website.

8 Request the bank to consider per man-day per category (Consultant, Sr Consultant & Pricipal Consultant) level pricing Risk Assessment & Forensic Investigation Penalty Efforts & skills level for Risk assessment at different times may vary, hence request the bank to consider unit prices as part of the RFP only and specify these 3 categoires. The bank will consider the inability of the SI to deliver or install or implement the The bank will consider the inability of the SI to deliver or install or equipment/ solution within the specified time limit, as a breach of contract and implement the equipment/ solution within the specified time limit, as would entail the payment of Liquidation Damages on the part of the SI. a breach of contract and would entail the payment of Liquidation Notwithstanding the Bank s right to cancel Damages on the part of the SI. Notwithstanding the Bank s right to the order, Liquidated Damages at 1% of the Total Implementation Cost of the cancel the order, Liquidated Damages at 1% of the Total delayed solution/ Implementation Cost of the delayed solution/ service per week will be service per week will be charged for every week's delay in the implementation of charged for every week's delay in the implementation of the proposed the proposed solution/ service beyond the specified delivery/ commissioning/ solution/ service beyond the specified delivery/ commissioning/ installation/ installation/implementation period subject to a maximum of 20% of implementation period subject to a maximum of 10% of the value of total the value of total Implementation Cost of the delayed solution/ Implementation Cost of the delayed solution/ service. service EC 4 - Eligibility The bidder should have an annual turnover of at least Rs. 10 Cr in provining security services in each of the last three Financial Years The bidder should have an annual turnover of at least Rs. 10 Cr in provining security business in each of the last three Financial Years 66 7 EC -16 The proposed WAF solution must be in the Leader or Challenger Quadrant of latest published Gartner s Report The Web Application Firewall solution offered must be rated as leaders or 'Challengers' in the latest Magic Quadrant for WAF published by Gartner or NSS Lab Security Value Map 67 7 EC -16 The proposed WAF solution must be in the Leader or Challenger Quadrant of latest published Gartner s Report The Proposed WAF solution must be in the Leaders or challengers Qudrant of latest Gartner report in ADC or Web application Firewall Category Payment Terms b) Payment Terms b) Payment Terms b) Implementation Phase for SIEM On Delivery of SIEM Solution as per scope - 50% Installation & Configuration of SIEM Solution as per scope - 20% Implementation Closure - which includes integration with devices, servers, and applications mentioned in the Scope of the RFP, and also integration with the other solutions procured in this RFP, i.e. making the SOC operational (as per scope of RFP), UAT, and receiving sign off from the bank - 20% 6 months post sign off - 10% Implementation Phase for Web Application firewall (WAF) On Delivery of WAF Solution as per scope - 50% Installation & Configuration of WAF Solution as per scope - 20% Implementation Closure - which includes integration with devices/ applications in scope (including integration with SIEM) and receiving sign off from Bank - 20% 6 months post sign off - 10% Implementation Phase for PIM Solution On Delivery of PIM Solution as per scope - 50% Installation & Configuration of PIM Solution as per scope - 20% Implementation Closure - which includes integration with devices/ applications in scope (including integration with SIEM) and receiving sign off from Bank - 20% We request you to kindly amend the payment terms for SIEM implementation as follows: On Delivery of SIEM Solution as per scope - 70% Installation & Configuration of SIEM Solution as per scope - 20% Implementation Closure - which includes integration with devices, servers, and applications mentioned in the Scope of the RFP, and also integration with the other solutions procured in this RFP, i.e. making the SOC operational (as per scope of RFP), UAT, and receiving sign off from the bank - 10% We request you to kindly amend the payment terms for WAF implementation as follows: On Delivery of WAF Solution as per scope - 70% Installation & Configuration of WAF Solution as per scope - 20% Implementation Closure - which includes integration with devices/ applications in scope (including integration with SIEM) and receiving sign off from Bank - 10% We request you to kindly amend the payment terms for PIM Solution implementation as follows: On Delivery of PIM Solution as per scope - 70% Installation & Configuration of PIM Solution as per scope - 20% Implementation Closure - which includes integration with devices/ applications in scope (including integration with SIEM) and receiving sign off from Bank - 10% Payment Terms b) 6 months post sign off - 10% Implementation Phase for ANTI-APT Protection Solution On Delivery of ANTI-APT Protection Solution as per scope - 50% Installation & Configuration of ANTIAPT Protection Solution as per scope - 20% Implementation Closure including integration with existing devices (including with SIEM) and receiving sign off from Bank - 20% 6 months post sign off - 10% We request you to kindly amend the payment terms for ANTI-APT implementation as follows: On Delivery of ANTI-APT Protection Solution as per scope - 70% Installation & Configuration of ANTIAPT Protection Solution as per scope - 20% Implementation Closure including integration with existing devices (including with SIEM) and receiving sign off from Bank - 10%

9 Minimum eligibility Criteria for the Bidders - EC 15 The proposed solutions should be certified/ benchmarked by an independent third party/ OEM for performance, security. Enclose certificate/ benchmark report for security, performance from independent third party OR OEM letter for performance, security. 1. Please specify the acceptable independent 3rd parties for each OEM component (SIEM, WAF, PIM, Anti-APT) 2. Please provide the format of OEM letter required for performance, security for each OEM component separately (SIEM, WAF, PIM, Anti-APT) Minimum eligibility Criteria for the Bidders - EC 14 Bidder/OEM should have successfully implemented WAF, PIM, and Anti-APT. In case of OEM s experience, the OEM shall own the complete implementation responsibility for the solution whose proof submitted by OEM (WAF, PIM, and AntiAPT). We understand bidder should have experience in SIEM, PIM, WAF and Anti-APT solution for any of the OEM not necessarily proposed OEM. Please confirm. And in case bidder is showing experience, undertaking letter from Bidder would suffice. Please confirm Warranty / AMC All the hardware to be delivered for the SOC Project should be sized at 70% CPU and RAM peak utilization. Please confirm if hardware resources can be shared across multiple components. I.e can we have PIM and APT running on same Hardware system but on different Virtual machines. Also, would request you to add a clause that HA of any component can't reside on same hardware i.e two VMs running in HA can't be on same underlying hardware. It is clarified that:- (1) Each solution should be deployed on separate blade or separate server. (2) Any instance/module in HA for any application/solution must either be on separate box or separate physical blade. (3) The servers/ solutions shall connect to storage with SAN Switch Scope of Work, Intended Priniples, clause performance principles Providing of appropriate ticketing tools for Reporting and logging of information security incidents. All leading SIEM tools provide incident management workflow within siem tool and same can be leveraged for tracking incidents. We believe that PSB is not looking for a dedicated ticket management tool like remedy for this purpose. Please confirm. The bidder shall provide the Incident Management/ Ticketing Tool as per the scope of the RFP.

10 Replication Scope of Work, Intended Priniples, clause performance principles Scope of Work, Intended Priniples, clause performance principles Solution Implementation Integration Procurement of secured links (with necessary bandwidth) between Bank s DC and DR, along with servers, software, database, storage solution, and networking & security equipments etc. required for implementation of SOC. Procurement of secured links (with necessary bandwidth) between Bank s DC and DR, along with servers, software, database, storage solution, and networking & security equipments etc. required for implementation of SOC. The logs collected by the SIEM log collector should be replicated across primary Data Canter and Disaster Recovery location. The bidder needs to provide an estimate of the bandwidth required for the replication process after due analysis of the existing setup of the Bank. The SIEM tool should be integrated to VAPT Tool to provide a comprehensive dashboard for VAPT reports. (Bank already has VAPT Tool deployed of corporate license.) The SIEM tool should be integrated to VAPT Tool to provide a comprehensive dashboard for VAPT reports. (Bank already has VAPT Tool deployed of corporate license.) The SIEM tool should be integrated with incident management/ ticketing tool to generate automated tickets for the alert events generated by the SIEM tool. We understand this is to ensure that logs are available at DR in case of unavailability of DC for any reason. Logs should be available in offline mode and should be able to import to SIEM tool as and when required for investigation for period of log retention. We Would request you to change this clause to - Solution must ensure availability of logs at DC and DR in line to log retention requirement. Logs can be sent to DR in real-time or offline shipping mode. Bidder is required to factor pre-requisites in terms of bandwidth, log backup solution, hardware and software to achieve the same. We understand PSB will provide required connectivity & bandwidth between DC & DR for solution administration & monitoring purpose. Pls confirm. We understand this is only offline shipping of logs from DC to DR site for long term retention prospective and not for real-time event correlation and incident response. Please confirm. Also log shipping can be from SIEM tool or collectors depending upon OEM solution. We would recommend to change this clause to - Solution must ensure availability of logs at DC and DR in line to log retention requirement. Logs can be sent to DR in real-time or offline shipping mode. Log can be shipped from SIEM or collector. Please advise VA PT tool being used by PSB as of now. Is it also being used for Web application PT. Please confirm. Also confirm, frequency of VA PT and reporting format ( xml / csv) of the tool. Pls advise if bidder can leverage SIEM capabilities for Incident management. Also please include that Dashboard should provide organization risk posture by integrating with other security contols like VA / PT, AV, Patch management. Dashboard should also include knowledge base on incident response processes. The bidder is responsible for procurement of secured links (with necessary bandwidth) between Bank s DC and DR, along with servers, software, database, storage solution, and networking & security equipments etc. required for implementation of SOC. The bidder shall replicate all data in realtime/ near realtime between DC & DR, for all application/ solutions scoped in DR as per RFP. - Bank does not have any PT Tool and the bidder needs to factor the same as per the scope of the RFP for PT of web facing applications. - Bank has VA Tool - McAfee Vulnerability Manager - Refer RFP Clause for frequency. Bank don't have any problem till all requirements of the Bank as per RFP meets. Please also refer Sr No Storage The solution should provide data replication over IP to a different site for disaster recovery and data protection with support for Unidirectional, Bi-directional, one-to-many and many-to-one replication topologies, Retention and Disposal functionality, and no single point of failure in the solution. Should provide industry leading data integrity protection to include proactive self-healing measures. We understand this is for ensureing log retention for addressing regulatory compliance and incident investigation and analysis. We would recommend this to be changed to - Solution must ensure availability of logs at DC and DR in line to log retention requirement. Logs can be sent to DR in real-time or offline shipping mode. Log can be shipped from SIEM or collector locations in Scope storage server and Storage - Data center We understand this is to ensure that there is no event loss in case of any failure at storage. We would recommend this to be changed to Bidder to provide redunduncy at collection and storage ( Disk level, interface level & Card level) to ensure there is no data loss at storage. Please remove log storage server component locations in Scope storage server and Storage - Disaster recovery Same as above. Please remove Log storage Server component Phishing Site Takedown Services The bidder shall bring down the detected phishing site and deactivate the site at the earliest Security Architecture Review Doing an application security assessment of the bank s applications please advise no. of take downs to be factored for Anti-Phishing instances. Please provide list of applications for security assessment. Also, we understand, bidder will leverage PSB existing application testing tools / licenses for carrying out assessment.pls confirm. As per RFP- Keep track of the site brought down for reactivation for at least 2 months. The reactivated sites are to be brought down without any additional charges during this period of 2 months. Bank does not have any application testing tool. The Bidder shall perform the Security architeture review of the Bank by its own. Please refer Section of the RFP for applications Security Architecture Review Conducting secure code review Secure code review requires a dedicated tool. Pls advise if bidder need to factor the same. Also please advise no of applications for source code review The bidder may need to factor in such case, if required Security Architecture Review Conducting a configuration review of the IT and network infrastructure Configuration review requires a dedicated tool. Please advise if bidder need to factor the same. The bidder may need to factor in such case, if required Vulnerability Assessment and Penetration Testing(VAPT) The vendor shall conduct PT of all web facing applications of the Bank on quarterly/ half yearly basis (or as directed by regulatory authority, statutory authority, or GoI Ministry/ Dept/ Agency) please advise if bank is already having license for Web application PT or bidder need to factor the same. Also please advise no of application for PT - The bidder needs to factor for the PT Tool. Bank does not have PT Tool. - Web facing applications = 7 approx.

11 Monitoring, Reporting and Security Dashboard: 90 Application Security 91 ANNEXURE - IX New Suggestion-next Gen WAF features Service Desk System Service desk should be configured, maintained and updated to record all agreed upon SLA breaches. Bank should be able to generate reports to validate the service availability through comprehensive web-based portal (dashboard). RFP has addressed most of the Application Security points but still some application security points are missing like unknown attacks based on user inputs and application responses, Zero day Attacks, atomic attacks and complex attack chains hence to address these kind of attacks request you to consider next generation application security solution with minimum requirements. 1.The application security solution should have positive security model with machine learning capabilities to detect and prevent anomaly in application traffic and unknown attacks. Machine learning should be based on true ML algorithms, and not just automation of dynamically learnt rules. 2. web application security solution should have capability of performing static analysis of source code & dynamic analysis at RUN time to identify potential vulnerabilities in web applications and solution must have option to deploy virtual patch based on static and dynamic analysis results. 3. The Web application security solution should address known & unknown attacks based on user inputs and application responses using combination of dedicated protectors/signature engines and Machine Learning 4. WAF should support built-in correlation engine to detect atomic attacks and complex attack chains. Administrator should have option to define customized correlation rules System should support denial of access protection by blocking repeated password failures on multiple administrator accounts in the directory. Please advise if bidder can leverage Incident management feature of SIEM tool itself or bidder need to factor a dedicated Service Desk system. Please confirm Please provide more clarification wrt funcionality requiried Already clarified The requirment is self explanatory. 92 ANNEXURE - IX Support for database-maintained change log for event triggered updates Proposed requiremnt is not releated to PIM solution, kindly confirm The requirement is Preferable in the RFP (Refer Sr No. 19 -PIM, Page No. 129). 93 ANNEXURE - IX Solution should identify what information has changed and synchronize only that information Proposed requiremnt is not releated to PIM solution, kindly confirm The requirement is Preferable in the RFP (Refer Sr No. 20 -PIM, Page No. 129). 94 ANNEXURE - IX Should be able to handle access to mobile devices and applications Please provide more clarification wrt types and no of application and mobile device requiried The Requirement is self explaionatory. 95 ANNEXURE - IX Support for password push to selectable target systems (i.e., the user or administrator is allowed to specify which systems have the same password Not considered as standard PIM reuirment, hence reuest deletion of clause 96 ANNEXURE - IX If the privileged users attempt to block session recordings, system should have the ability to raise appropriate alerts. since the recording happens centrly, the user can not stop the recording services, kindly confirm if our understanding is correct Already clarified. 97 ANNEXURE - IX No of users 98 ANNEXURE - IX Need clarification 99 ANNEXURE - IX Need clarification 100 ANNEXURE - IX Need clarification Kindly confirm no of Admin user and target device need to manage by PIM solution As indusrty practiceproposed solution shoud have capability of Command control on any SSH connections (Unix Systems, Network Devices, Security devices & any SSH based target systems) Already clarified. Already clarified. As industry best practice the proposed solution shall cater for live monitoring of sessions and manual termination of sessions when necessary, please confirm our Already clarified. understanding is correct As industry best practice the proposed solution should use built-in FIPS Refer ANNEXURE - IX - Other General Requirements S.No 8 of the RFP. validated cryptography for all data encryption kindly confirm our understanding is As per the requirement- "All devices should comply with FIPS correct standard for cryptographic modules." 101 ANNEXURE - IX Additonal comments The propose Solution should have the capability to provide intelligence-driven analytics to identify suspicious and malicious privileged user & privilege account behaviour 102 ANNEXURE - IX Additonal comments 103 The proposed PIM solution must be in the Leaders Quadrant of latest published report by Forrestor/IDC The Cyber Attackers will target the Endpoints to penetrate the infrastructure, hence the solution should detect & Block the credentials theft from computers. Like Windows credentials theft (SAM, LSASS Harvesting) & Browser credential theft (IE, Firefox, Chrome) & Third party credentials theft (Win SCP, VNC),kindly confirm if our understanding is correct

12 The solution should be able to conduct full packet capture for data This clause may be removed or re-phrased as 'Solution must have capability to integrate with solutions for complete packet capture' Also please put points for data security which is considered important from Banks perspective: Solution must be capable encrypting data in Format preserving encryption at source (Application) itself - Solution must e FIPS compliant - Solution must be capable of running on Virtual platform - It must protect important bank information like PCI, PI etc end to end - Same solution must be capable of Data Masking, Format preserving encryption and tokenization 106 Pg Pg Pg The solution should be able to identify malware present in network file shares and web objects (QuickTime, MP3 and ZIP/RAR/7ZIP/TNEF archives, 3gp, asf, chm, com, dll,ico, jar, jpeg, jpg, mov.) and able to quarantine them. May please change to The solution should be able to identify malware present in network file shares and web objects (ZIP/RAR/7ZIP/TNEF archives, asf, chm, com, dll,ico, jar, jpeg, jpg) and able to quarantine them. Reason Media files like quick time, mp3 are not candidates for advanced threats. Prorietry to OEM hence may be removed The solution should be able to identify zero-day malware present in file and web objects (Adobe Flash File, Java, Microsoft Office Files.doc.docx.ppt.pptx.xls.xlsx,.pdf, rar, dll, sys, tar, exe, zip, bzip, 7zip, ink, May please move from essential to preferable chm, swf etc.) and should have ability to interrupt malicious communication. May please remove database. The solution should support Sandbox test environment which can analyse threats to various operating systems, browsers, databases etc. Reason Scope for APT solution does not cover databases. Proprietry to OEM 109 Pg The Anti-APT Solution should have minimum 50 Sandboxes and should be able to handle at least files in a day. May please change to The Anti-APT Solution should be able to handle at least files in a day. Reason The number of VM varies form one OEM hence the min no of sanboxes should be removed 110 Pg The solution should monitor Inter-VM traffic on a Port Mirror Session. Proposed Change The solution should monitor Inter-VM traffic on a Port Mirror Session or should be able to view the internal display of the running VM. 111 Pg The solution should support Windows XP, Windows 7, Windows 8, Windows 10 Microsoft 2003, Microsoft 2008, Solaris10, Redhat 5 & above Linux operating environments for Sandboxing, this requirement should be based on virtual execution and should not be Hardware or chip based function. Reason Proprietry to single OEM Proposed Change The solution should support Windows XP, Windows 7, Windows 8, Windows 10 Microsoft 2003, Microsoft 2008 operating environments for Sandboxing Reason Proprietry to single OEM 112 Pg The solution should support windows XP, Windows 7, Windows 8, windows 10 Microsoft 2003, Microsoft 2008 (32 bit & 64 bit OS), Solaris10, and RedHat 5 & above Linux operating environments for Sandbox file analysis. Solution should have option to upload custom sandbox image running in Bank s environment. Proposed Change The solution should support windows XP, Windows 7, Windows 8, windows 10 operating environments for Sandbox file analysis. Solution should have option to upload custom sandbox image for above Reason Proprietry to single OEM Support for event-driven and request driven account de-activation (i.e., not deletion) with or without workflow approval Kindly share type of event driven method require for the same The Requirement is self explaionatory Support event-driven and request-driven account re-activation with or without workflow approval Kindly share type of event driven method require for the same Support removal of accounts from target system groups upon deletion of user account Kindly remove this, cyberark will not allow to create any account on any target machine. Users, target machine and all parameters are controlled by cyberark Automated creation, pending workflow approval(s) of user and group accounts based on attribute information Since access to server are monitored through Cyberark and it not only keeps login process secure it also keeps user identity secure. It will not allow to create users on any group accounts using automated user driven process System should support integration with external GRC, SIEM and HRMS Please share integration level for successful criteria The Requirement is self explaionatory.

13 Annexure II - Compliance to Minimum Eligibility Criteria EC-5 The Bidder should have experience of at least 1 BFSI (Banking, Financial services and Insurance) or Govt. Sector client in implementing/supporting a Security Operations Centre (SOC) in last 5 years in India. Whether experience in implementing/supporting a Security Operations Centre (SOC) for a large non-bfsi sector client can be considered as a compliance to this eligibility criterion Performance Principles Procurement of secured links (with necessary bandwidth) between Bank s DC and DR, along with servers, software, database, storage solution, and networking & security equipments etc. required for implementation of SOC. Whether the bidder has to procure these secured links (with necessary bandwidth). While the bidder will be responsible for procuring the other hardware, Bank should re-look at this clause as Bank would be in a better position to establish these links between the DC & DR Mean Time between Failures (MTBF) ANNEXURE - IX - Other General Requirements a) If during warranty and AMC period, any equipment has a hardware failure on three or more occasions in a period of less than three months or five times in a period of less than twelve months, it shall be replaced by equivalent or higher-level new equipment by the Bidder at no cost to the Bank. b) However, if the new equipment supplied is priced lower than the price at which the original item was supplied, the differential cost should be refunded to the Bank. Integration of the solutions to provide a comprehensive single dashboard view of the security risks/ incidents for the Bank. 10 All appliances should have dual power supply to ensure redundancy If the cost of the new equipment (in case of a hardware failure) is lower than the price at which the original item was supplied, does the bidder need to refund the differential cost to the Bank? Since the bidder would be responsible for replacing the hardware with an equivalent or higher-level new equipment, Bank should relook at this clause and not seek a refund, in case of differential cost. As comprehensive is a wide word so kindly clarify that what all is covered in it also is there any payment terms is linked to this. Please clarify as few appliances performance is not dependent on the kind of power supply and latest appliances models are coming with single power supply with higher performance OEM Recommendation for Hardware, Software, Licenses Please suggest if this is required with technical bid and format for the same Annexure XI Annexure XI Sample Non-Disclosure Agreement EC EC EC EC-6 Bidder/OEM should have successfully implemented SIEM in integration with Core Banking System (Finacle). In case of OEM s experience, the OEM shall own the complete implementation responsibility of SIEM. An undertaking letter from OEM. Bidder/OEM should have successfully implemented WAF, PIM, and Anti-APT. In case of OEM s experience, the OEM shall own the complete implementation responsibility for the solution whose proof submitted by OEM (WAF, PIM, and Anti- APT). An undertaking letter from OEM. The Bidder should have experience of at least 1 BFSI (Banking, Financial services and Insurance) or Govt. Sector client in implementing/supporting a Security Operations Centre (SOC) in last 5 years in India. The Bidder should have implemented or provided/be providing SOC Security Services, including log monitoring and co- relation, for minimum 1000 EPS to at least one (01) BFSI or Govt. Sector client in India Please suggest if this is required with Technical Bid Response or after award because as per 1.11 page 11 clause 11 it is required and as per ANNEXURE XIII - CHECK LIST FOR BID SUBMISSION it is not. Request to please change the clause as follows: A)"Bidder/OEM should have successfully implemented SIEM in integration with Core Banking System (Finacle)." B) Supporting document clause "An undertaking from Bidder/OEM" Request to please change the clause as follows: A)"Bidder/OEM should have successfully implemented WAF, PIM, and Anti-APT." B) Supporting document clause "An undertaking from Bidder/OEM" We request Bank to also consider public/private organization experience & replace experience from "in India" to "in India or globally" We request Bank to also consider public/private organization experience & replace experience from "in India" to "in India or globally" It may apply if replaced device make/ model is same. Refer RFP Clause No for the same. The Bidder shall deliver all Servers and storages with dual power supply. To be submitted in the Technical Bid. Sample format is given separately in this clarification. Annexure - XI is required with Technical Bid response EC-9 The proposed solutions (i.e. SIEM, WAF, PIM, and Anti-APT) should be We request Bank to also consider public/private organization experience & successfully implemented in any BFSI or Govt. Sector client(s) in India. replace experience from "in India" to "in India or globally" Section The SIEM tool should be integrated to VAPT Tool to provide a comprehensive dashboard for VAPT reports Please share the existing VAPT tool details, this is required for checking integration of VAPT tool with SIEM Bank does not have PT Tool, the bidder needs to factor the PT Tool. VA Tool Used in Bank is:- McAfee Vulnerability Manager Section The vendor shall conduct PT of all web facing applications of the Bank on quarterly/ half yearly basis Can Bidder leverage PSB exsiting tool set or Does Bidder need to propose new tool for PT? Can bidder propose cloud based solution? Already clarified Section Section Forensic Investigation The vendor shall conduct PT of all web facing applications of the Bank on quarterly/ half yearly basis Please share the count & details of Web facing applications Please share the number of endpoints that need to be considered for Forensic Investigation Privilege Identity Management (PIM) What will be Retention of recording period for all admin actiivities Already clarified It depends on the incident type. You may estimate based on any case study in Bank's incident. Bank need to comply IT Act. The logs may also be archived for retention purpose.