RFP FOR INFORMATION SYSTEM AUDIT

Similar documents
Request for Proposal (RFP)

Bidding Document. Renewal and Maintenance Support of Intrusion Detection System / Intrusion Prevention System (IDS/IPS)

ADMINISTRATION DEPARTMENT TENDER FOR RENEWAL OF EXISTING KASPERSKY ANTIVIRUS TOTAL SECURITTY FOR BUSINESS LICENSES FOR USE AT NIT KARACHI

TENDER FOR RENEWAL OF EXISTING KASPERSKY ANTIVIRUS LICENSES FOR USE AT NIT, KARACHI

RESERVE BANK OF INDIA

NOTICE INVITING TENDER FOR ISO CERTIFICATION

available in India to be conducted for the following application vs

TENDER NOTICE FOR SYMANTEC ANTIVIRUS RENEWAL AND SUPPORT

CORRIGENDUM. Corrigendum to RFP No. SBI/GITC/PMD/ /402 dated

Request For Quotation from Service Providers. for. Appointment of Consultant for Migration to ISO/IEC 27001:2013 alongwith Implementation for UTIITSL

Government of Bihar Bihar Institute of Public Administration and Rural Development(BIPARD) WALMI Complex, Phulwarisharif Patna

Tender Schedule No. Figure: Active-Active Cluster with RAC

DENA BANK INFORMATION TECHNOLOGY DEPARTMENT, HO, MUMBAI.

Policy for Accrediting Assessment Bodies Operating within the Cradle to Cradle Certified Product Certification Scheme. Version 1.2

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Request For Quotation from Service Providers. for

IDBI BANK LIMITED IDBI TOWER, WTC COMPLEX, CUFFE PARADE MUMBAI

Request for Qualifications for Audit Services March 25, 2015

The Common Controls Framework BY ADOBE

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

REPCO HOME FINANCE LIMITED

IS Audit of Stock Brokers

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

Audit & Inspection Department - Head Office: Manipal. Empanelment of CISA qualified individuals on Contract Basis for conducting IS Audits

Sybase Database Details. Data Device Usage. Transaction Log Segment Usage

INVITATION OF BIDS FOR TENDER

DATA PROCESSING TERMS

Biotech Consortium India Limited

Request for Proposal for Technical Consulting Services

SECURITY & PRIVACY DOCUMENTATION

Request for Proposal HIPAA Security Risk and Vulnerability Assessment. May 1, First Choice Community Healthcare

TENDER DOCUMENT for Renewal of SonicWALL NSA 4500 and SonicWALL Enforced Anti-Virus & Anti-Spyware at NIHFW

Information Technology General Control Review

EXHIBIT A. - HIPAA Security Assessment Template -

Bidding Document PROVISION AND INSTALLATION OF VOICE OVER IP PHONE EQUIPMENT. Last Date for Submission: Tender Opening Date:

New Jersey LFN Packet Check List

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

DISTRICT OF COLUMBIA WATER AND SEWER AUTHORITY DEPARTMENT OF PROCUREMENT

NYDFS Cybersecurity Regulations

I. PURPOSE III. PROCEDURE

As used in these Rules and unless the context otherwise requires: CMIC shall refer to the Capital Markets Integrity Corporation.

Apex Information Security Policy

Request For Proposal ONWAA Website & E-Learn Portal

KENYA SCHOOL OF GOVERNMENT EMPLOYMENT OPORTUNITY (EXTERNAL ADVERTISEMENT)

Great Northern Corporation Request for Proposal for Network Server Installation and Service

REQUEST FOR PROPOSAL (RFP)

REQUEST FOR PROPOSALS

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Checklist: Credit Union Information Security and Privacy Policies

APPLICATION FORM FOR CERTIFICATION BODIES Ready Mix Concrete Plant Certification Scheme (RMCPCS)

Quotation Notice. S/d DIRECTOR

INDIA TOURISM DEVELOPMENT CORPORATION LIMITED Unit : Ashok Travels & Tours, Bangalore

NATIONAL INFORMATION TECHNOLOGY AUTHORITY - UGANDA (NITA-U) REGIONAL COMMUNICATIONS INFRASTRUCTURE PROGRAM (RCIP) INFORMATION SECURITY SPECIALIST

SSC Transformation Initiative Fairness Monitoring Services

Information Security Policy

TENDER FOR SUPPLY AND INSTALLATION OF COMPUTER SYSTEM, SOFTWARE, PRINTER & UPS.

Position Description IT Auditor

UCO BANK Department of Information Technology

Q&A for Citco Fund Services clients The General Data Protection Regulation ( GDPR )

TENDER 10/2017 Installation and Supply of Data Center Hyper-Converged Infrastructure. Requirement Specification Document

THE INSOLVENCY PROFESSIONAL AGENCY CMA BHAWAN, 3, INSTITUTIONAL AREA, LODHI ROAD, NEW DELHI

Advent IM Ltd ISO/IEC 27001:2013 vs

Exhibit A Questionnaire

APPLICATION FORM FOR CERTIFICATION BODIES Voluntary Certification Scheme for Ayush Products / Provisional Approval

General Data Protection Regulation

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

TENDER FOR SUPPLY AND INSTALLATION OF COMPUTER SYSTEM, SOFTWARE & UPS.

SCI QUAL INTERNATIONAL PTY LTD ENQUIRY & APPLICATION/RENEWAL FORM FOR CERTIFICATION

UI/UX specifications document for the website template mentioned below.

RfP No. APSFL/CCTVPMA/231/2016, Dated:

OIL AND GAS REGULATORY AUTHORITY *******

BOT Notification No (1 September 2017)-check

Contracting for an IT General Controls Audit

Information technology Security techniques Information security controls for the energy utility industry

PROVISION, INSTALLATION, COMMISIONING & DEPLOYMENT OF BLADE SERVERS WITH CHASSIS

Level 5 Award in Understanding the Management of Physical and Cyber Asset Security in the Water and Environmental Industries

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

SHIVAJI COLLEGE, UNIVERSITY OF DELHI RAJA GARDEN, RING ROAD NEW DELHI NOTICE INVITING TENDERS

Altius IT Policy Collection

GAUHATI UNIVERSITY INSTITUTE OF SCIENCE AND TECHNOLOGY GopinathBordoloi Nagar, Guwahati Telephone No.:

ALGORITHMIC TRADING AND ORDER ROUTING SERVICES POLICY

VOLUNTARY CERTIFICATION SCHEME FOR MEDICINAL PLANT PRODUCE REQUIREMENTS FOR CERTIFICATION BODIES

Telecommunications Consultants India Ltd. (A Government of India Enterprise)

Information Security Controls Policy

98 Years of Relentless Journey towards Engineering Advancement for Nation-building. Ref : SP/T-1623 Date : NOTICE INVITING TENDER

Notice inviting Tender for Web site design & Development

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

Certified Information Systems Auditor (CISA)

General Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant

Internal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit

Data Protection. Code of Conduct for Cloud Infrastructure Service Providers

FDIC InTREx What Documentation Are You Expected to Have?

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

Baseline Information Security and Privacy Requirements for Suppliers

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy

DIT/BPR&BTD/OA/1206/

Guidelines. Technical and Financial Support. State Wide Area Network (SWAN)

Corrigendum regarding Tender Document for providing three year licenses, installation, configuration, deployment,

Transcription:

RFP FOR INFORMATION SYSTEM AUDIT 2018-19

I. Introduction II. The Kerala State Cooperative Bank Ltd. is the apex bank of the Cooperative Banking structure in Kerala that is approved by the Registrar of Cooperative Societies, Government of Kerala. The 14 District Cooperative Banks in the State and the Government of Kerala are members and shareholders of the Bank. The Bank operates through a network of 20 branches. The Bank has three Regional Offices - one each at Thiruvananthapuram, Ernakulum and Kozhikode, for effective supervision and control of its own branches as well as the constituent District Co-operative Banks. Since July 1966, KSCB is permitted to perform banking functions as per the Banking Regulation Act. The Bank is doing basic banking functions of accepting deposits, lending loans through its branches, ATM Operations with PoS, NEFT/RTGS. Facilities like mobile banking, internet banking etc are in the pipeline. The customer base of KSCB has grown considerably over the years and extending the conveniences of present day banking services to the customers of KSCB is hence seen as a necessity. The bank is already functioning with fullfledged international core banking software Finacle 7.0.29. Purpose of the RFP Information Systems Audit should cover entire Information Systems Infrastructure which includes Servers & other hardware items, Operating Systems, Databases, Application Systems, Technologies, Networks, Facilities, and Process & People. This RFP seeks to engage a Service Provider who has the capability and experience, to conduct the following: Conducting Information Security Audit including technical, physical and administrative aspects and to make appropriate recommendations, as covered under the Scope of Work. Carrying out risk analysis of all IT assets of the Bank and preparation of Risk Matrix based on Guidelines issued by RBI and Govt. of India. Giving scope document, guidelines and devising framework for continuous audit of 100% Transactions. The aim of the RFP is to solicit proposals from qualified bidders for undertaking above detailed assignments. III. Eligibility criteria Only those service providers who fulfill the following criteria are eligible to respond the RFP. Offers received from the service providers who do not fulfill all or any of the following eligibility criteria are liable to be rejected. i.the service provider should be a current legal entity (Company /Firm /Organization/ independent subsidiary) in India.

ii. Should be in business of Information System auditing in India at least for last three years. iii. Should be in net profit in at least two years out of last three financial years. iv. Should have conducted two Information System audits of data centers and other IT Infrastructure of banks in India v. Should have conducted application audit of Core Banking Solution in at least two Banks with more than 20 branches. vi.should not have been blacklisted, as on the date of tender submission, by any nationalised Bank / RBI /IBA or any other Central/State Government department / agency. vii. IS Auditors should be competent audit professionals with sufficient and relevant experience. Qualifications such as CISA (offered by ISACA0, DISA (offered by ICAI), or CISSP (offered by ISC2), along with 2 or more years of IS Audit experience are desirable. viii. Should be eligible as per RBI Norms on eligibility, empanelment and selection of Statutory Central Auditors in Public Sector Banks from the year 2017-18 and onwards IV. Scope of work The selected vendor has to go through the audit reports of previous years and has to check whether all the observations are complied. They have to comment on status of non-complied observations, while undertaking fresh audit under this RFP. During the course of audit, if the service provider observes any major deficiencies, they should immediately bring such observations, deficiencies, areas of improvement and suggestions for improvement to the notice of the concerned persons. The service provider should also discuss with, guide/help the Bank staff in implementation of the critical and important suggestions. IS Audit should cover entire spectrum of computerized functioning including the areas with special reference to the following: A. Policy, Procedures, Standard Practices & other regulatory requirements: i. Bank s IT Security Policy & Procedures. ii. RBI guidelines on Information Security & other legal requirements. iii. Best practices of the industry B. Physical and Environmental Security 1. Access control systems 2. Fire / flooding / water leakage / gas leakage etc.

3. Assets safeguarding, Handling of movement of Man/Material/ Media/ Backup / Software/ Hardware / Information. 4. Air-conditioning of DC/ DRC, humidity control systems 5. Electrical supply, Redundancy of power level, Generator, UPS capacity. 6. Surveillance systems of DC / DRC 7. Physical & environmental controls. 8. Pest prevention (rodent prevention) systems C. Operating Systems Audit of Servers, Systems and Networking Equipments 1. Setup & maintenance of Operating Systems Parameters 2. Updating of OS Patches 3. OS Change Management Procedures 4. Use of root and other sensitive Passwords 5. Use of sensitive systems software utilities 6. Vulnerability assessment & hardening of Operating systems. 7. Users and Groups created, including all type of users management ensuring password complexity, periodic changes etc. 8. File systems security of the OS 9. Review of Access rights and privileges. 10. Services and ports accessibility 11. Review of Log Monitoring, its sufficiency, security, maintenance and backup. D. Application level Security Audit 1. Only authorized users should be able to edit, input or update data in the applications or carry out activities as per their role and/or functional requirements 2. User maintenance, password policies are being followed are as per bank s IT security policy 3. Segregation of duties and accesses of production staff and development staff with access control over development, test and production regions. 4. Review of all types of Parameter maintenance and controls implemented. 5. Authorization controls such as Maker Checker, Exceptions, Overriding exception & Error condition. 6. Change management procedures including testing & documentation of change. 7. Application interfaces with other applications and security in their data communication. 8. Search for back door trap in the program. 9. Check for commonly known loopholes in the software. 10. Identify gaps in the application security parameter setup in line with the banks security policies and leading best practices

11. Audit of management controls including systems configuration/ parameterization & systems development. 12. Audit of controls over operations including communication network, data preparation and entry, production, file library, documentation and program library, Help Desk and technical support, capacity planning and performance, Monitoring of outsourced operations. 13. To review all types of Application Level Access Controls including proper controls for access logs and audit trails for ensuring Sufficiency & Security of Creation, Maintenance and Backup of the same. E. Network Security Security architecture of the entire network including: 1. Understanding the traffic flow in the network at LAN & WAN level. 2. Audit of Redundancy for Links and Devices in CBS Setup. 3. Analyze the Network Security controls, which include study of logical locations of security components like firewall, IDS/IPS, proxy server, antivirus server, email systems, etc. 4. Study of incoming and outgoing traffic flow among web servers, application servers and database servers, from security point of view. 5. Routing protocols and security controls therein. 6. Study and audit of network architecture from disaster recovery point of view. 7. Privileges available to Systems Integrator and outsourced vendors. 8. Review of all types of network level access controls, logs, for ensuring sufficiency & security of creation, maintenance and backup of the same. 9. Secure Network Connections for CBS, ATM and Internet Banking including client/ browser based security. 10. Evaluate centralized controls over Routers installed in Branches & their Password Management. 11. Checking of VLAN Architecture 12. TCP ports 13. Checking of Firewall Access control List 14. Routers and Switches are using AAA model for all User authentication 15. Enable passwords on the Routers in encrypted form and check password compliance with minimum strength. 16. Local and remote access to network devices is limited and restricted. F. Others 1) Inventory movement controls & maintenance, equipment maintenance and disposal measures, change & configuration management processes,

2) Audit of Logging and monitoring processes, 3) Audit of Delivery channels, 3rd Party Products and various other interfaces NGRTGS, NEFT, NACH, CTS and E-mail Systems which are integrated with the Core Systems. V. Terms and Conditions 1. All the queries and clarifications must be sought in writing to the email id: cobankit@gmail.com Single point of contact:- Deputy General Manager, IT Department, Kerala State Co- Operative Bank Ltd., Cobank Towers, Vikasbhavan P.O, Palayam, Thiruvananthapuram-695033 2. One hard copy of the Technical Bid and One Copy of the Commercial Bid must be submitted at the same time, giving full particulars in separate sealed envelopes at the Bank s address given below on or before the schedule given in section VI. Address: The Co-bank Towers, Vikas Bhavan PO Palayam. PIN-695033 3. All the envelopes must be super scribed with the following information Proposal for Conducting IS Audit- 2017-18 (Technical bid) Proposal for Conducting IS Audit- 2017-18 (Commercial Bid) 4. The offer should remain valid for a period of 180 days from date of submission of the proposal. At the option of the Bank, the vendor should extend the validity of offers for such required period (s), as the Bank may require during the evaluation process. 5. The technical proposal must contain the following: - Bidders profile Details of professional personnel Details of lead audit certification from leading certification Bodies Details of the similar assignments executed by the bidder in other Banks Proposed Methodology and work plan Estimated time to complete the audit 6. The commercial proposal must contain the following:- The Commercial Proposal should provide all relevant price information in Indian Rupees only It should not contradict the unpriced technical proposal in any manner. The responses should be strictly as per the terms and conditions of this RFP. Service Providers are advised not to attach or specify any terms and

conditions. The Bank reserves its right to reject the proposals received with any additional terms and conditions specified by the Service provider. The Commercial Bid should include all taxes, duties, fees, and other charges as may be levied under the applicable law as on the date of submission of the proposal. However, the tax component of the prices should be shown separately The total must be quoted in WORDS AND FIGURES. In case of discrepancy between the words and figures, lower of the two would be considered as the price quoted and the same will be binding on the vendor. The price quoted should be inclusive of following: Professional Charges Travel and Halting expenses, including local conveyance Out of pocket expenses All applicable taxes, duties and levies Work Contract tax, if any, applicable should be borne by the Service provider. 7. The Contract with the selected bidder shall be governed in accordance with the Laws of India for the time being enforced and will be subject to the exclusive jurisdiction of Courts at Thiruvananthapuram (with the exclusion of all other Courts). 8. The Managing Director, KSCB reserves the right to reject any proposal/tender/rfp with or without assigning any reason at any time and to restrict the list of firms to any number deemed suitable. VI. Schedule Description Due Date*** Issue tender notification 11/10/2018 RFP submission Bid opening Evaluation of technical proposal Commercial evaluation Discussions and negotiations Award of contract 29/10/2018; 1:00p.m. 29/10/2018; 1:15p.m. Will be informed later Will be informed later Will be informed later Will be informed later ***All dates mentioned above are tentative dates and the bidder acknowledges that it cannot hold the Bank responsible for breach of any of the dates

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback