Page No(ten Clause(tender Ref) Description in the tender (tender Ref) # Bidder Name

Transcription

1

2 What is the count of applications that need to be tested within the Client premises and the number of pages in these applications on an average? What is the count of applications that need to be tested externally via internet and the number of pages in these applications on an average? 1 KPMG 10 Scope of work Vulnerability assessment and penetration testing (va/pt) of applications and networks devices With respect to internal testing, can KPMG personnel carry laptops inside Client premises to perform the testing? Yes With respect to network testing, how many servers and databases need to be tested? What are the other network devices that are in scope and how many of these devices need to be tested? 2 KPMG 15 Annexure I : Eligibility Criteria Only those bidders fulfilling the following criteria shall respond to the RFP Does the scope include mobile applications too? If yes, which platform will the apps belong to and how many mobile apps need to be tested? The Table lists out the eligibility criteria as 1,2,5,6,7. Kindly Clarify if the criteria are wrongly numbered or whether criteria 3 and 4 have been omitted. In case they are omitted kindly provide the missing criteria Criteria is wrongly numbered. Read eligibility criteria 1,2,5,6,7 as 1,2,3,4,5

3 3 Sify Technologies Ltd IT Current State UIIC currently has following IT applications at present in the organization 1. Genisys Configurator as the Core insurance system (policy issuance, underwriting, servicing and claims administration) 2. Customer Portal 3. Corporate Website 4. OEM Portal 5. Agent Portal 6. Grievance Portal 7. NEFT Portal 8. SAP FICO 9. SAP HRMS and Payroll 10. Eclipse (Reporting tool) 11. Integrated Treasury Management System(under implementation at present) 12. Centralized Desktop Management System 13. Corporate ing System(IBM Domino) 1. Please provide the application accessibility- Internal/Internet 2. Please provide the location of access if internal application. 3. Please provide the approximate number of Static & Dynamic pages/screens, number of user modules and the size of the applications. 4 Sify Technologies Ltd IT Current State UIIC has an in-house Data Center in Chennai with outsourced Whether near DR & DR will be in the scope. maintenance. The company also has If yes, Please share the location details. Yes, a Near DR and a DR outsourced to a third party Sify Technologies Sify Technologies Sify Technologies Sify Technologies SCOPE OF WORK 26. SCOPE OF WORK 26. SCOPE OF WORK 26. SCOPE OF WORK VULNERABILITY ASSESSMENT AND PENETRATION TESTING (VA/PT) OF VULNERABILITY ASSESSMENT AND PENETRATION TESTING (VA/PT) OF GAP ASSESSMENT, CREATION OF CCMP PLAN AND DRAFTING OF IS CONSULTING FOR READINESS OF EXTERNAL AUDIT & ISO 27001:2013 Will the location be Chennai for carrying out the Activity. Please provide the Number and type of devices for which the VA & PT needs to be conducted with access details. What will be the locations for which the GAP assessment needs to be conducted? Head Office, Chennai 1. What will be the locations for which the IS CONSULTING FOR READINESS OF EXTERNAL AUDIT & ISO 27001:2013 CERTIFICATION Head Office, Chennai

4 9 Sify Technologies Ltd DELIVERABL ES WITH TIMELINES Expected timelines for: 1. VAPT for Applications VAPT for Network Devices 6. IS Consulting for readiness of External Audit & ISO 27001:2013 Certification Grace period will be required for the mentioned deliverables. Same can be confirmed after receipt of scope details. All Activities should be carried out as per timelines given in RFP 10 AKS Information Technology Private Ltd. 4 Point 3 Earnest Money Deposit (EMD) The intending bidders shall submit Bank Guarantee/ Electronic Credit for EMD of Rs. 1,00,000/- We are empanelled with the National Small Industries Corporation Limited (NSIC) and Micro, Small and Medium Enterprises (MSME). As per the government guidelines, any company empanelled with NSIC & MSME is at liberty of not submitting the EMD for Tender issued by any Organization in India. We request you to kindly waive off the EMD for the organization registered with MSME & NSIC. EMD can be waived for Emapanelled MSME and NSIC companies. Proof of Udyog Aadhaar Memorandum should be submitted. But, tender fee will not be waived AKS Information Technology Private Ltd. AKS Information AKS Information AKS Information Technology Private Ltd. 11 Point Point Point ANNEXURE II: COMMERCIAL BID VULNERABILITY ASSESSMENT AND PENETRATION TESTING (VA/PT) OF APPLICATIONS AND NETWORKS DEVICES VULNERABILITY ASSESSMENT AND PENETRATION TESTING (VA/PT) OF IS CONSULTING FOR READINESS OF EXTERNAL AUDIT & ISO 27001:2013 Part D: IS Consulting for readiness of External Audit & ISO 27001:2013 Certification Please share location wise infrastructure details including number of IP s for External Penetration Testing along with the sites which are to be visited physically. Please share the details of the applications for VAPT Please let us know whether DR Sites will be under our Scope of Work for ISO 27001:2013 readiness Please clarify whether bidder has to bear the cost of ISO 27001:2013 certification, if yes then let us know the no. of employees under scope. Head Office, Chennai Prepare UIIC for ISO 27001:2013 Certification

5 15 M/S Sumeru Software Solutions Pvt Ltd no Scope of work 1. VULNERABILITY ASSESSMENT AND PENETRATION TESTING (VA/PT) OF APPLICATIONS AND NETWOR DEVICES This Exercise shall be carried out at UIIC premises How many premises/locations? Do we need to go and do the VAPT and process audit in all premises/locations. 16 M/S Sumeru Software Solutions Pvt Ltd no 13and IS CONSULTING DELIVERABLES FOR READINESS Final Reports will be submitted to OF EXTERNAL Risk Management Committee of AUDIT & ISO Board on approval of draft Reports 27001:2013 CERTIFICATION Review and approval of draft reports will be depend on UIIC. Need to know on turnaround time and what will be our stand if it is pending or delayed from UIIC end. If review and approval of draft reports are pending with UIIC, said time period will not considered for project timelines 17 M/S Sumeru Software Solutions Pvt Ltd no Scope of work 25. IT CURRENT STATE 1. Genisys Configurator as the Core insurance system (policy issuance, 2. Customer Portal 3. Corporate Website 4. OEM Portal 5. Agent Portal 6. Grievance Portal 7. NEFT Portal 8. SAP FICO 9. SAP HRMS and Payroll 10. Eclipse (Reporting tool) Since detailed scope not provided for each application and network devices whether we need to finish the VAPT of entire applications and network devices in 4 weeks time as mentioned in page 14 under DELIVERABLES WITH TIMELINES S.No. 1 Yes

6 11.Integrated Treasury Management system (under implementation at present) 12. Centralized Desktop Management System 13.Corporate ing System (IBM Domino) 18 M/S Sumeru Software Solutions Pvt Ltd IS CONSULTING FOR READINESS OF EXTERNAL Part D. Total cost of ownership AUDIT & ISO 27001:2013 CERTIFICATION Is consulting organisation's responsibility to tie up with external accrediation body for certification. If yes, can we add the cost to the total cost of ownership. Prepare UIIC for ISO 27001:2013 Certification only ANNEXURE I: ELIGIBILITY CRITERIA The bidder must be empanelled Information Security Auditing Organisations by CERT-in Request to amend this clause and state it as : The bidder / consortium partner must be empanelled Information Security Auditing Organisations by CERT-in No Change ANNEXURE I: ELIGIBILITY CRITERIA Request to Add the Clause on Bidder Financial information part of Eligibility Criteria and state it as : The bidder should have a minimum turnover of Rs. 100 Crores per year during last 3 years to apply for the bidding process, also should have a Net worth of more than 60+ crores in the past 3 years (14-15,15-16,16,17) No Change ) IT Current State (Second Last point) UIIC has licenses for Reinsurance (a module in Genisys Configurator) and DMS, but both are not yet implemented. Please confirm when will these applications become go-live? and if we have to consider these as two applications in addition to the list mentioning 13 applications In the scope ) IT Current State ( Last point) UIIC has an in-house Data Center in What are the locations under scope of VAPT, Gap Assessment, ISOreadiness audit. Request UIIC to specify the count of all the in-scope Chennai with outsourced maintenance. The company also has locations (on-prem or outsourced) ; Also pl specify the total assets to a Near DR and a DR outsourced to a be assessed in all locations separately third party.

7 ) SOW (1. VAPT) Appropriate updated tools shall be used for each phase of test. The bidder will bring their own tools and bear the cost themselves? Or UIIC has their own tools? OR UIIC wants to procure tools? In which case UIIC will bear the cost Bidder can use their own tools and bear the cost themselves ) SOW (1. VAPT) For internal servers, network devices and databases the VAPT will be from the Companies environment internally. Request UIIC to specify the count and details(technology, make, model, version, backend) of in-scope Internal servers, network devices, databases separately ) SOW (1. VAPT) External VAPT will be conducted from outside for the external web applications and websites such as Internet Application through Internet. Pl mention count of in-scope External facing Web Applications to conduct external PT. There is a mention of 13 applications in ITcurrent state. Pl specify if all are viable for external PT. If any internal facing applications, pl specify. Sizing details of External Applications: Number of dynamic pages for each applications ) SOW (1. VAPT) 26) SOW- Pt 3 (3. CREATION OF ROADMAP FOR ADDRESSING IDENTIFIED GAPS & PRIORITIZATOI N) 26) SOW- Pt 3 (3. CREATION OF ROADMAP FOR ADDRESSING IDENTIFIED GAPS & PRIORITIZATOI N) External VAPT will be conducted from outside for the external web applications and websites such as Internet Application through Internet. What is the expected methodology to be used for application security testing Grey Box/Black Box Roadmap and Strategy is to be developed across all Lines of Business and support services of UIIC parallely or is it to be done in phased manner for each LOB and support services? Whether any branches also needs to be covered under IRDA as well, if yes, pl specify Is there any major outsourcing done by UIIC for any key activities and the number of such key activities. Whether such outsourced process activities need to be brought under the scope of Info Sec Consulting? Black, White & Grey Box According to IRDA guidelines No

8 ) SOW- Pt 3 (3. CREATION OF ROADMAP FOR 13 ADDRESSING IDENTIFIED GAPS & PRIORITIZATOI N) 26) SOW- Pt 3 (3. CREATION OF ROADMAP FOR 13 ADDRESSING IDENTIFIED GAPS & PRIORITIZATOI N) 13 Prioritize the solution w.r.t. Organisation s posture. Whether any dedicated resource/spoc will be allocated to discuss any queries related to Roadmap definition and documentation? Please elaborate as to what is the desired outcome that UIIC wants SOW- Pt 4 Roadmap to address all Is there any preferred roadmap methodolgy (like six sigma) to be (3.DELIVERABLE shortcomings & prioritized solutions followed or we can propose our own? S) Depends on Bidder Filling of Security Gaps Own Standards / Guidelines 26)SOW-Pt 4 (4. IS CONSULTING FOR READINESS OF EXTERNAL AUDIT & ISO 27001:2013 CERTIFICATION: ) The Information Security Consulting for readiness of external audit and ISO 27001:2013 will be as per guidelines issued by IRDA Circular No.:IRDA/IT/GDL/MISC/082/2017 dated on Information and Cyber Security for Insurers and ISO 27001:2013 Information Security Standards. What all frameworks are already implemented in the UIIC? Are there any other Security Policies and procedures in place and when was the last reviewed? No

9 )SOW-Pt 4 (4. IS CONSULTING FOR READINESS OF EXTERNAL AUDIT & ISO 27001:2013 CERTIFICATION: ) RFP List Point-1. Policy, Procedures, Standard Practices, Organisation structure & other Government Requirements. What is the size of the IT organization in UIIC? Is it possible to share the IT organization structure? What is the scale of the organizational technology footprint no of users, servers, applications, IT processes, domains, sites etc? What is the mix of inhouse, managed services provider, contractors and other in the IT organization? How many business users are supported by the IT organization? People Skills and Competencies. Please let us know the approximate number of people who will be part of the assessment. Are there exsiting defined and documented ITSM processes? Will be shared with successful bidder )SOW-Pt 4 (4. IS CONSULTING FOR READINESS OF EXTERNAL RFP List Point-2-19 AUDIT & ISO 27001:2013 CERTIFICATION: ) These 18 points are from irda guidelines. The processes, procedures will be based on these guidelines. If there is any additional guideline (internal, or standard) to be followed, pl specify IRDA Guidelines and ISO 27001:2013 Standards Annexure- IV (ANNEXURE IV: PROPOSED TEAM PROFILE) RFP Table Please confirm if the details have to be provided for the proposed resources or whether the number is to be provided as per the total number of professionals in the firm. Also if we can change the resources in case of any unforeseen situation (with asked qualifications) Under the column Relevant Experience in ANEXXURE IV. Please specify if UIIC is looking for any specific expereince to be called as relevant. Proposed resources should work during the project. If any changes happens in resources, similar experience resources can be replaced previous ones without any additional cost.

10 36 3& 30 Point-1 & vi. Proposal covering methodology, ANNEXURE X (1. approach, timelines. & INSTRUCTIONS The technical bid should also detail / GUIDELINES the following: TO BIDDERS & ANNEXURE X: CHECKLIST Point-1. plan Cover A : Technical Bid) Apart from Annexure-X, do we have to submit any other proposal Technical Document should cover these points document OR these two points refer to only one technical document? Point-27 (27. DELIVERABLES WITH TIMELINES) RFP Table The weeks against each activity given in the RFP are the exact timelines or tentative? Also how many working days in a week? Exact Timelines and 5 working days in a week Point-27 (ANNEXURE II: COMMERCIAL BID) Total Summary of costs (TCO) Table Are the commercials to be shared as Man-Days or we can share overall price against each line item in the table? Overall Price each line item 39 Tech Mahindra 15 Annexure I : Point 2 The bidder must be empanelled Information Security Auditing Organisations by CERT-in Our CERT in empanelment got expired and we are in the process of renewing the certification. The certification work is under progress as on date. We can attach the old CERT In Certificate and the requisite information regarding the current renewal process with CERT in. Request UIIC to consider the same and relax this clause. Only CERT-in empanelled organisation is eligible for filling the bid

11 40 Tech Mahindra 12 SCOPE OF WORK: 2. GAP ASSESSMENT, CREATION OF CCMP PLAN AND DRAFTING OF INFORMATION & CYBER SECURITY POLICY-> Deliverables-> Point 3 Draft for Information and Cyber Security Policy will be prepared containing areas listed in IRDA information security guidelines Ref. No. IRDA/IT/GDL/MISC/082/04/2017 dated Are there any existing Cyber Security Policies in place? No 41 Tech Mahindra 13 SCOPE OF WORK: 4. IS CONSULTING FOR READINESS OF EXTERNAL AUDIT & ISO 27001:2013 CERTIFICATION- > Deliverables-> Point 1 Draft Reports will be prepared under each controls/lists of areas mentioned in guidelines of Information and Cyber Security for Insurers and ISO 27001:2013 Information Security Standards. Which are the Security Frameworks which is currently been implemented and complied to? No

12 42 Tech Mahindra 11 SCOPE OF WORK: 2. GAP ASSESSMENT, CREATION OF CCMP PLAN AND DRAFTING OF INFORMATION & CYBER SECURITY POLICY 4. IS CONSULTING FOR READINESS OF EXTERNAL AUDIT & ISO 27001:2013 CERTIFICATION > Enterprise Security > Information Asset Management > Physical and Environmental Security > Human Resource Security > System acquisition, development and maintenance > Information Security Risk Management > Data Security > Application Security > Cyber Security > Platform /Infrastructure Security > Network Security > Cryptography & Key Management > Security Logging & Monitoring > Incident Management > Endpoint Security > Virtualization > Cloud Security > Mobile Security Is it possible to share the volumetrics of the areas specified in the RFP to be covered during Gap assessment, IS Consulting for readiness of external audit & ISO 27001:2013 certification According to IRDA guidelines 43 Tech Mahindra 11 SCOPE OF WORK: 2. GAP Vendor will provide GAP analysis When was the last GAP assessment/ Audit done? Not done ASSESSMENT, 44 Tech Mahindra Tech Mahindra 11 CREATION OF SCOPE OF WORK: 2. GAP ASSESSMENT, CREATION OF CCMP PLAN AND DRAFTING OF INFORMATION & CYBER SECURITY POLICY report and recommendations to address the identified the gaps. > Incident Management What is the status of the actions from last GAP assessment/audit, if any was done earlier? Is there an existing Security Incident response management process in place? Not Applicable No

13 46 Tech Mahindra Tech Mahindra 10 SCOPE OF WORK: 2. GAP ASSESSMENT, CREATION OF CCMP PLAN AND DRAFTING Create Cyber Crisis Management OF Plan for UIIC as per CCMP guidelines Is there an existing Cyber Crisis Management Plan in place? INFORMATION issued by CERT-in & CYBER SECURITY POLICY-> Deliverables-> Point Current IT state General Is supporting relevant infrastructure (servers) of applications in scope of VAPT testing? No Yes 48 Tech Mahindra Current IT state General Is this the final list of applications in scope for penetration testing? 1. Genisys Configurator as the Core insurance system (policy issuance, underwriting, servicing and claims administration) 2. Customer Portal 3. Corporate Website 4. OEM Portal 5. Agent Portal 6. Grievance Portal 7. NEFT Portal 8. SAP FICO 9. SAP HRMS and Payroll 10. Eclipse (Reporting tool) 11. Integrated Treasury Management System(under implementation at present) 12. Centralized Desktop Management System 13. Corporate ing System(IBM Domino) 49 Tech Mahindra 50 Tech Mahindra General General Please specify the types of the application for eg. Thick client, Webbased, Web-services, Mobile application etc. Are there any tools for security testing being used currently or contractor has to use their own tools? Bidder can use their own tools and bear the cost themselves. 51 Tech Mahindra General When the VAPT activity is expected to start? After release of Purchase order

14 52 Tech Mahindra General 53 Tech Mahindra General 54 Tech Mahindra General 55 Tech Mahindra General Will there be separate testing environment for applications penetration testing? Please specify the number of Assets to be covered in VA e.g. Servers, network Components, Databases etc For VA, please specify the Operating Systems Type (Windows, Linux, Unix etc.) For VA, please specify the Network components (Switches, Firewall, Routers etc.) Will be provided by UIIC 56 Tech Mahindra General For VA, please specify the Database Type ( MS SQL, Oracle etc.) 57 Tech Mahindra General For PT, Number of IP s to be covered 58 Tech Mahindra General 59 Tech Mahindra VA/PT 60 Tech Mahindra VA/PT Approximately how many webpages would each web application have? 50, 100, 500+ etc? Please specify this for all applications in scope. Is this activity to be carried out from multiple locations or single? Please specify the location from where the VAPT is to be carried out. Please confirm if understanding is correct: External VAPT can be performed from offshore (contractor's location) Yes 61 Cisco Systems India PVT LTD 10 VULNERABILITY ASSESSMENT AND PENETRATION TESTING (VA/PT) OF APPLICATIONS AND NETWORKS DEVICES For internal servers, network How may Internal IP address of Servers, Network Devices & devices and databases the VAPT will Databases needs to be considered in scope for VAPT? Broad Estimate be from the Companies on number of ip address would also help us in our scoping exercise environment internally.

15 62 Cisco Systems India PVT LTD 10 VULNERABILITY ASSESSMENT AND PENETRATION TESTING (VA/PT) OF APPLICATIONS AND NETWORKS DEVICES External VAPT will be conducted from outside for the external web applications How many external facing Applications needs to be considered in scope for VAPT? 63 Cisco Systems India PVT LTD 10 VULNERABILITY ASSESSMENT AND PENETRATION TESTING (VA/PT) OF APPLICATIONS AND External VAPT will be conducted from outside for the external web applications Do we need to perform code review of application for vulnerability assessment or only perform black box testing on Web application to identity vulnerability? Black, White & Grey Box 64 Tender document Fee Tender document Fee Rs.5000/ We are registered with MSME (UdyogAadhaar), Refer Point 10 of Reply Rs.5000/- 65 EMD Rs.1.0 Lacs EMD Rs.1.0 Lacs Refer Point 10 of Reply 66 1& 3 As per the PPC, Companies who are registered under MSME or Micro / small are exempted from Tender fees & EMD ( based on the Public Procurement Policy for MSE Order, 2012, dt , Clause 10 copy attached). We have added our MSME certificate also. Refer Point 10 of Reply 67 As per your RFP clause every bidder has to pay Tender fee of Rs.5,000/- and EMD of Rs.1.0 Lakhs, So please let us know whether we are eligible forexemption fortender fees & EMD.We have already got exemption from 2 PSU s in this year on the same clause. Refer Point 10 of Reply AUDITime Information Scope of Work - General Queries -

16 Information Systems (I) Ltd Please provide the scope of VA/PT for : - Applications -Servers - Network Devices Whether all applications or only web facing applications will be under VAPT scope? Any dates/ timelines for follow-up / compliance audits/ security performed? Refer RFP and Addendum dated Please provide likely date/ time frame to commence the audits? Refer RFP and Addendum dated What is the primary location of the audit? Chennai? 73 Locations of Near DR & Far DR? 74 Number and details of locations other than DC, DR & Near DR for physical &/or other security audit? 75 If there are outsourced vendor services, please provide details of services under the scope of those vendors? will be shared with successful bidder 76 Does the scope include to visit 3rd party sites or any 3rd party services to be audited?if so, please provide details What is the number of the applications, network devices, database and servers/ip address that needs to go under PT/VA (Please specify the IP address/subnet of the devices, applications, servers, databse ). Number of internal servers to be audited Number of internal desktops to be audited Number of internal laptops to be audited Number of internal L3 switches to be audited Number of internal firewalls to be audited 50 5

17 Number of internal routers to be audited Any other internal network devices to be audited Number of external servers to be audited Number of external IP addresses Number of external firewalls to be audited Number of wireless access points to be audited Any other external network devices to be audited The application's buisness criticality list and the data-base dependency & entanglement b/w applications are required on general scale, What are the major modules of the website/application. How many Dynamic and Static pages are in the website/portal? How many different level of users (Admins ) are available. Pls specify the Business role of said device - Web AppServer (for webappsec testing), Permeter Device, Generic Server etc. For Web applications please provide information based on number of pages per web application. Please breif about the description of website What are the major modules of the website? How many Dynamic and Static pages are in the website?

18 How many different level of users are there? Is there any interconnectivity to other systems/applications Does the VA Testing required to be Intrusive/Non-intrusive.(Incase this is Intrusive,we would one Read-only user-id/passwrd for testing ) will be given by UIIC For Penetration test,incase Gray box testing is required,please provide two user credentials (user/admin) 10 & (1) DELIVERABLES Reporting fromat will be based on the description mentioned in 26 (1) Point 5, 6, Deliverables. Any additional type of reporting format required? (4) IS Consulting for readiness of external audit & ISO 27001:2013 certification Scanning Window (specific time frame in which only the application needs to be scanned ) How many locations are the systems spread out across? Is this testing required to be done over Internet OR internally over LAN will be given by UIIC Standard Reports in PDF format After business hours Both, depends on application accessibility Will the testing be conducted on-site or remotely via internet or VPN? Both, depends on application accessibility Any target date for the audit to be started and/or be completed by? Is the ISO27001:2013 certification scope for 1 (One) location or multiple locations? After release of Purchase order Head Office, Chennai

19 UIIC shall be entitled to terminate the agreement/purchase order with the Bidder at any time giving 30 days prior written notice to the Bidder if the Bidder breaches its obligations under the tender document or the subsequent agreement/purchase order and if the breach is not cured within 15 days from the date of notice. Bidder would like to seek more clarifications on this clause before agreeing to the same. Also we woule like to seek a cure period of days for a cure of any breach conducted, failure to which customer should have the right to terminate the services. Also under no circumstances customer will be entitled with the rights to terminate the contract for it's convenience. In such a case customer will be requested to pay an early termination charge equivalent to the payable net for the balance contract period from the date of termination No Change

20 No failure or delay on the part of any of party relating to the exercise of any right power privilege or remedy provided under the this RFP and the subsequent agreement with the other party shall operate as a waiver of such right, power, privilege or remedy or as a waiver of any preceding or succeeding breach by the other party nor shall any single or partial exercise of any right, power, privilege or remedy preclude any other or further exercise of such or any other right, power privilege or remedy provided in this RFP and subsequent agreement all of which are several and cumulative and are not exclusive of each other or of any other rights or remedies otherwise available to either party at law or in equity unless such waiver, amendments or modification is in writing and signed by the party against whom enforcement of the waiver,amendment or modification is sought. Bidder would like to seek more clarifications on this clause before agreeing to the same a The agreement shall be in force for a period of sixty days beyond the completion of project from the date of issue of Purchase Order. UIIC is requested to release the payments for the additional 60 days of service beyond contract period as per the rates agreed in RFP This is a clause to restrict any right power, privilege or remedy by respective authorities within the boundaries of this RFP & Corrigendum and subsequent agreement. No Change Payment Milestones The payments for all services provided cannot be dependent on the approval milestones of UIIC and hence customer is requested to release the payment in quarterly in advance mode upon invoicing post delivery and acceptance of services Heading "Payment Milestones" can be read as "Payment Milestones as per Scope of Work". Payment can be released only in arrears.

21 Payment Terms The payments for all services provided cannot be dependent on the approval milestones of UIIC and hence customer is requested to release the payment in quarterly in advance mode upon invoicing post delivery and acceptance of services No Change PUBLICITY Any publicity by the vendor in which the name of the Company is to be mentioned should be carried out only with the prior and specific written approval from the Company. In case the vendor desires to show any of the equipment to his customers, prior approval of the Company will have to be obtained by him in writing. Bidder be permitted to provide to any of its other customers or potential customers who are bound by a nondisclosure agreement access to a list of Bidder s customers and a generic description of the services purchased by such customers, which list may use Customer's trade name (but not trademark) and the services purchased by Customer (provided that financial terms relating to the purchase shall not be disclosed) No Change Indemnification: (i) for gross negligence or wilful default in performance of the services; (ii) for breach of any terms of the tender or any representation or warranty; (iii) use of services; (iv) IPR & other statutory infringement (v) proven loss or damage to tangible property or premise etc. due to gross negligence or wilfull default (vi) proven or loss or damage arising out of loss of data, claims of infringement of IPR, malfunctioning of equipment There should not be any indemnity obligation for service related matters. Applicable service credit allowance should be sufficient remedy for service related issues. Further, for indemnification obligation should not be for any breach but should be for "breaches having material adverse effect", which are not cured within the cure period. Further, the overall liability of the Bidder for indemnification obligation under this clause should be restricted to direct damages and be capped at charges collected by the Bidder during the previous 12-months under the applicable order giving rise to such liability. The overall liability of the Bidder for indemnification obligation under this clause shall be restricted to direct damages and be capped at business loss suffered by UIIC due to the direct damages.

22 Liquidated Damages For service related matters, the applicable service credit should be adequate remedy. Further, the cure period should be alteast 30 day and if the breach is not cured within 30 day, them the Bank can terminate the affected service gby iving 30-days No Change Termination The cure period should be alteast 30 day and if the breach is not cured within 30 day, them the Bank can terminate the affected service gby iving 30-days 9 22 The successful bidder shall sign the agreement within 21 days from the date Letter of Acceptance (LOA) from UIIC Provided that the contract is in accordance with the terms and conditions of this RFP and the proposal submitted by the Bidder and no new terms and conditions are there in it 17 Annexure - III No Blacklisting Declaration Bidder proposes following revised language: "We do hereby declare and affirm that to the best of our knowledge and belief, we have not been blacklisted by Central / any State Government / PSU s or any regulatory bodies as on the date of bid submission" 22 Annexure - VII Non-disclosure Agreement Format Bidder proposes deletion of following line in clause 2 (2nd para): "In this regard, the agreement entered into between the Receiving Party and any such person/s shall be forwarded to the Disclosing Party promptly thereafter" No Change No Change Agree No Change Annexure - VII Non-disclosure Agreement Format Bidder proposes deletion of following line in clause 5 (1st para): "and the Receiving Party agrees to reimburse the reasonable legal fees and other costs incurred by Disclosing Party in enforcing the No Change provisions of this Agreement apart from paying damages with interest at the market rate prevalent on the date of breach to the Disclosing Party"

23