NATIONAL INFORMATICS CENTRE SERVICES INCORPORATED (A Government of India Enterprise under NIC) MINISTRY OF ELECTRONICS AND INFORMATION TECHNOLOGY Expression of Interest From vendors for empanelment with NICSI for Application Security Services TENDER NO. NICSI/EOI-APPLICATION SECURITY/2017/10 HALL NO. 2&3, 6TH FLOOR, NBCC TOWER, 15 BHIKAJI CAMA PLACE, NEW DELHI 110066. TEL 26105054, FAX 26105212 1
Table of Contents 1. ABOUT NICSI... 3 2. ABOUT THE TENDER... 3 2.1. SCOPE OF WORK... 3 2.2. IMPORTANT DATES... 6 3. AVAILABILITY OF TENDER... 6 4. PRE-BID QUERIES... 7 5. BID SUBMISSION... 7 6. BID OPENING... 8 7. BID EVALUATION... 9 8. GENERAL TERMS & CONDITIONS... 9 9. ANNEXURE... 9 ANNEXURE 1. ELIGIBILITY CRITERIA... 10 ANNEXURE 2. BIDDER S PROFILE... 12 2
1. ABOUT NICSI The National Informatics Centre Services Inc. (NICSI) was set up in 1995 as a section 25 Company under National Informatics Centre (NIC), Ministry of Electronics& Information Technology, Government of India to provide total IT solutions to the Government organizations. NICSI provides services for a number of e-governance projects undertaken by NIC and Ministry of Electronics and Information technology (MeitY). Main Objectives: 1.1 To provide economic, scientific, technological, social and cultural development of India by promoting the utilization of Information Technology. Computer-Communication Networks, Informatics etc. by a spin-off of the services, technologies, infrastructure and expertise developed by the NIC of the Government of India including its Computer-Communication Network, NICNET and associated infrastructure and services. 1.2 To promote further development of services, technologies, infrastructure and expertise supplementing that developed by NIC in directions which will increase the revenue earning capacity of NIC. 1.3 To develop and promote value added computer and computer-communications services over the basic infrastructure and services developed by NIC including NICNET. In furtherance of these objectives, NICSI has been providing various products & services to organizations in the Central Government, State Governments and PSUs etc. Products and Services include Hardware, Systems Software, Application Software, Software Development, Intra-Networking, Wide Area Networking, Video Conferencing, IT Consultancy, IT Implementation Support among others 2. ABOUT THE TENDER 2.1. SCOPE OF WORK NICSI as part of the Application Security Services will empanel maximum of two vendors for the execution of work. The total number of websites/applications in the NIC network is around 8000 to 10000. The empanelment will be for 3 years initially and can be further extended for two years depending upon mutual consent. In-Scope Location: The successful bidders have to execute the activities at the following locations: 1. All four National data centers at New Delhi, Hyderabad, Pune and Bhubaneshwar 2. Regional App Sec Centres ( 4 6) 3. 29 State NIC Data Centres,7 Union territories Assessment Process: All the selected vendors would be required to provide services for the allocated pool of Web Sites/ applications either separately in each category or as a combination as: In-Scope Activities: Activities for Each Empanelled Vendor Activities/Qualification Broad Application Security Audit and Compliance Activities (including infrastructure assessment) Application Penetration Testing (including infrastructure assessment) Web application firewall as a service Optional Activity : Comprehensive Security Audit relevant to a project / setup NIC hosts around 8000 to 10000 portals / websites / applications for the Government. These are hosted currently at the National Data Centres at Delhi, Hyderabad, Pune, Bhuvaneshwar and the NIC State centres. 3
Most applications cater to the requirement of respective government departments/ministries. These are either developed/managed in-house by NIC or are developed and managed by the departments themselves. The possibility of attack is due to flaws in the design, development and deployment of application software. The vulnerabilities thus created may be exploited by intruders with malicious intent to cause defacements, data corruption, data/information leakage and disruption in service continuity etc. To track such vulnerabilities, Security Audits and penetration testing are required to be performed followed by subsequent hardening aimed to mitigate the vulnerabilities and strengthening the security of the applications and their environment. As a policy, all websites / applications hosted at the NIC data centres have to go through a complete security audit process before they can be onboarded or whenever an alteration/addition is made to the application. The security audit / penetration testing is undertaken at various stages before, during and after hosting. An additional layer of protection for each site through a Web Application Firewall service. Before hosting Security audit of Web Application as per latest OWASP standard & NIC guidelines and submission of report for required remediation Second level testing for verification of closing up all the discovered vulnerabilities Issuance of Certificate of safe for hosting During Hosting Configuration review / SSL deployment Random Penetration Testing of hosted application Provisioning of Web Application Firewall on NIC cloud for each application After Hosting Black Box External Penetration Testing at regular intervals These and related activities are being undertaken by in house professionals of the Cyber Security Group (Application Security) of NIC. Considering the magnitude of the work, this specialized group needs the services of organization who can manage end to end security for these Web Applications. This tender aims for empanelment of agencies for providing Application Security Services at NIC HQs and at other centres of NIC. The scope of this tender includes Application Security Audit and Compliance Services, Penetration testing and WAF as a service. The methodology for application audit to be followed shall be based mainly on the Open Web Application Security Project (OWASP) model. However, there may be necessary variations in approach as required by NIC and each auditor is expected to comply with all NIC laid down policies and procedures for conducting application security audits. 2.1.1 Broad Application Security Audit Activities The security auditors shall be performing some or all of the following activities: 1. Identify the application level vulnerabilities on applications hosted at test site / production site based on the latest top 10 OWASP vulnerabilities 2. Daily or on demand application scans 3. An audit of the environment along with the application to ascertain any vulnerabilities in the environment where the application is hosted 4
4. The auditor must have his own tools to conduct audit activities 5. The activity should additionally include but not limited to the following which are vulnerable to the web application : 5.1. Password strength on authentication pages 5.2. Scan Java Script for security vulnerabilities 5.3. File inclusion attacks 5.4. Web server information security 5.5. Malicious File Uploads 6. Provide recommendations for remediation of identified vulnerabilities 7. Submit detailed reports for each iteration of audit and a final report showing all vulnerabilities as closed. The report should contain found vulnerabilities, vulnerability description and solution 8. Follow a specific format for reports, if so required by NIC 9. Certify the applications / websites tested as Safe for Hosting 10. Accept responsibility for declaring the websites / URLs / mobile applications free from known vulnerabilities 11. Any other activity concerning security audit related aspects; not essentially covered by workareas outlined above Coverage: All web applications hosted over NICNET domain and related Mobile Apps 2.1.2 Penetration testing 1. Vulnerability assessment and pen-testing for deployed and running applications/mobile apps. 2. The activity must include both the manual and automated assessment. 3. This activity should be done every quarter or on a 6 month basis 4. The infrastructure will include the database, application server and the OS. 5. The activity must include identification and evaluation of vulnerability present at the infrastructure level for application. The same must be represented by detailed report of the vulnerability with an adequate recommendation. 6. An incident report must be prepared as part of penetration testing Coverage: All web applications hosted over NICNET domain and related Mobile Apps 2.1.3 WAF as a service Web application firewall as a service will be deployed in the NIC cloud and it would consist of a load balancer and an SSL offloader. It has to be scalable and should have a central management component. It shall have orchestration support for VM managers. A broad list of tasks which the WAF should do are: The WAF should have updated signatures to protect against OWASP Top 10 attacks and other common web based attacks such as clickjacking, website scraping, etc. The WAF should induce minimum latency of less than 1 ms The WAF should have built-in load balancing The WAF should support offloading SSL traffic and enforcing specified SSL algorithms The WAF should provide compression and caching features to optimize websites The WAF should support authentication schemes such as LDAP, RADIUS, etc. The WAF should have built-in APT scanning 5
The WAF should be able to block TOR IPs and bad reputation IPs The WAF should provide built-in application DDoS mitigation The WAF should prevent sensitive information disclosure from website The WAF should support page rules for website The WAF should support custom error pages to prevent web server information disclosure Provision of configuring the WAF as per the criticality of the website Single management console to manage multiple WAF instances protecting multiple websites Fine grained user access control to manage security of one or more websites as applicable WAF should at least provide the following statistics on the management console 1. Details of top Source IP, top Destination IP, Source port & Destination port 2. Application Layer Summary (Top Devices, Referrer used, etc) 3. Attack Summary (Time of Attack, type of attack, url accessed, suspicious parameters in the HTTP request, etc) 4. Traffic Summary (Request Dropped, total visitors, security events, maximum bandwidth etc) 5. Audit trails for PCI compliance along with periodic (daily / weekly) reporting to stakeholders There should be provision of zero downtime on boarding with WAF protection in blocking mode from day one We invite responsesfrom bidders on this expression of intent to provide Web Application Security Services of Websites/Applications/Infrastructure including mobile applications managed/developed by NIC. A maximum of two qualified bidders will be empanelled with NIC for a period of two years which can be further extended for another year based on negotiations. Only those bidders who respond to this EoI and qualify the eligibility criteria mentioned in this document will be issued the RFP document and will proceed for technical and financial evaluation. 2.2. IMPORTANT DATES Date of publication 02.02.2018 The EoI document is available at https://etenders.gov.in/eprocure/app Seek clarification start date Seek clarification end date Pre-bid meeting date EoI submission end date EoI opening date 03.02.2018 09.02.2018 12.02.2018 at 1130 Hrs 19.02.2018 till 1530Hrs 20.02.2018 at 1530Hrs 3. AVAILABILITY OF TENDER Bid submission shall be online through e-procurement System. 6
The EoI document is available at e-procurement site https://etenders.gov.in/eprocure/app Prospective bidders desirous of participating in this tender may view and download the tender document free of cost from above mentioned website. 4. PRE-BID QUERIES NIC shall hold a pre bid meeting with the prospective bidders at Pre-bid meeting date as mentioned in Section 2.2 Important Dates. Queries (including the bidding conditions & bidding process) received from the prospective bidders in writing, or over email, up till Seek clarification end date as mentioned in Section 2.2 Important Dates, shall be addressed. The queries can be sent to NIC through email at tender-nicsi@nic.in Only those pre-bid queries which are received in the following format (in xls) shall be entertained: Company name M/s. S. No. Name and number of section / annexure / Pg. No. of tender Name and number of sub category / table, if any Item no., if any Item description Query Description of requested change 5. BID SUBMISSION 5.1. Online responses (complete in all respect) must be uploaded on https://etenders.gov.in/eprocure/applatest by EoI submission end date as mentioned in Section 2.2 Important Dates 5.2. The responses should be submitted as under: EoI The RAR file must be saved as EoI_BidderName.rar. It must contain the following information Compliance sheets as per Annexure 1 : ELIGIBILITY CRITERIA and the supporting documents (in pdf format) for the specified tier Bidder s profile as per Annexure 2 : BIDDER S PROFILE (in pdf format) Bidder must provide all documents mandated for eligibility criteria (in pdf format) for the specified tier Bidder must provide all the documents mandated for bidder s profile (in pdf format) Annexure 1 : ELIGIBILITY CRITERIA (in excel form) Annexure 2 : BIDDER S PROFILE (in excel form) It is the sole responsibility of the bidder to ensure that there is no deviation in the information provided in pdf & excel versions for these two Annexures. 7
All the documents must be digitally signed by the authorized signatory of the company. In case the document is signed by anyone other than the authorized signatory of the company, the bidder must enclose authorization letter from HR department of the company for the officer, who signed the document All pages being submitted must be sequentially numbered by the bidder. 5.3. NICSI will not be responsible for any delay on the part of the bidder in obtaining the terms and conditions of the EoI or submission of the online responses. 5.4. The responses submitted by fax/ E-mail /manually etc. shall not be considered. No correspondence will be entertained on this matter. 5.5. Conditional responses shall not be accepted on any ground and shall be rejected straightway. If any clarification is required, the same should be obtained before submission of the responses. 5.6. No responses will be accepted after the expiry of the deadline as stated above. 5.7. In case, the day of submission is declared Holiday by Govt. of India, the next working day will be treated as day for submission of responses. There will be no change in the timings. 5.8. All pages of the response being submitted must be signed by the authorised signatory, stamped and sequentially numbered by the bidder irrespective of the nature of content of the documents. Un-signed & un-stamped bid may be summarily rejected. 5.9. At any time prior to the last date for receipt of responses, NICSI, may, for any reason, whether at its own initiative or in response to a clarification requested by a prospective bidder, modify the EoI Document by an amendment. The amendment will be notified onhttps://etenders.gov.in/eprocure/app and should be taken into consideration by the prospective agencies while preparing their responses. 5.10. In order to give prospective agencies reasonable time to take the amendment into account in preparing their responses, NICSI may, at its discretion, extend the last date for the receipt of responses. No response may be modified subsequent to the last date for receipt of responses. 5.11. The agencies will bear all costs associated with the preparation and submission of their responses. NICSI will, in no case, be responsible or liable for those costs, regardless of the outcome of the tendering process. 5.12. Printed terms and conditions of the bidder will not be considered as forming part of their response. In case terms and conditions of the tender document are not acceptable to any bidder, they should clearly specify the deviations in their response. 5.13. Response not submitted as per the specified format and nomenclature may be out rightly rejected. 5.14. Ambiguous/Incomplete/Illegible responses may be out rightly rejected. 5.15. Submission of the response will be deemed to have been done after careful study and examination of all instructions, eligibility norms, terms and required specifications in the EoI document with full understanding of its implications. Responses not complying with all the given clauses in this EoI document are liable to be rejected. Failure to furnish all information required in the EoI Document or submission of a bid not substantially responsive to the EoI document in all respects will be at the bidder s risk and may result in the rejection of the bid. 5.16. NICSI, at any time during the course of evaluation of the responses, may seek verbal or written clarifications from the bidders, which may be in the form of presentation, undertaking, declaration, reports, datasheets, etc., if NICSI finds the information in the submitted responses to be insufficient/ambiguous/deviant or of any such nature that hinders the evaluation committee from arriving at a clear decision. It will entirely be at NICSI s discretion whether to seek clarifications or not, and what clarifications to seek, or take any other action as per the guidelines provided in the EoI. 6. BID OPENING 8
Online responses (complete in all respect) will be opened at Tender bids opening date as mentioned in Section 2.2 Important Dates in presence of bidders representative, if available. 7. BID EVALUATION 7.1. The Bidders are requested to furnish documents to establish their eligibility (indicating the page number in the bid) for each of the items given in Annexure 1: Eligibility. Relevant portions in the documents should be highlighted. If a response is not accompanied by all the necessary documents, it may be summarily rejected. 7.2. Undertaking for subsequent submission of any of the eligibility documents will not be entertained. However, NICSI reserves the right to seek fresh set of documents or seek clarifications on the already submitted documents. 7.3. All documents should be submitted electronically in PDF format. Upon verification, evaluation/assessment, if in case any information furnished by the Bidder is found to be false/incorrect, their response will be summarily rejected and no correspondence on the same shall be entertained 7.4. A response that does not fulfill all the stipulated eligibility conditions/criteria for a particular tier will not be considered. 8. GENERAL TERMS & CONDITIONS 8.1 If a dispute arises out of or in connection with this contract, or in respect of any defined legal relationship associated therewith or derived therefrom, the parties agree to seek an amicable settlement of that dispute by Conciliation under the ICADR Conciliation Rules, 1996. 8.2 The Authority to appoint the Conciliator(s) shall be the International Centre for Alternative Dispute Resolution (ICADR). 8.3 The International Centre for Alternative Dispute Resolution will provide administrative services in accordance with the ICADR Conciliation Rules, 1996. 8.4 NICSI reserves the right to cancel this EoI or modify the requirement without assigning any reasons. NICSI will not be under obligation to give clarifications for doing the aforementioned. 9. ANNEXURE The necessary Annexures are given in the following pages. 9
ANNEXURE 1. ELIGIBILITY CRITERIA S.No. Criteria Documents to be submitted as qualifying documents (100% Compliance) Eligibl e (Yes/N o) Reference of enclosed proof along with page number where document occurs in the bid 1. The bidder/oem must be a Company registered in India under the Companies Act 1956 or a partnership registered under the Indian Partnership Act 1932 with their registered office in India for the last three years as on 31 st March 2017. Copy of valid Certificate of Registration attested by Company Secretary/ Authorized Signatory 2. Power of Attorney in the name of authorized signatory authorizing him for signing the documents or related clarifications on documents Power of Attorney in the name of authorised signatory 3. Bidder must have an average annual turnover of INR 10 crores or equivalent amount in any other foreign currency during the last 3 financial years from sales of its products and services Duly signed & stamped CA certificate 4. Bidder must have an average annual turnover of INR 5 crores or equivalent amount in any other foreign currency during the last 3 financial years from security services Duly signed & stamped CA certificate 5. The bidder should have experience of at least 7 years in providing Information Security Audit and consulting services as on the date of bid submission Declaration on letter head signed by authorized signatory 6. The bidder must have executed a minimum of five projects related to Application Security Audit in any Government (Central / State / PSUs) departments or private organizations with at least one project executed in India. The order value placed must exceed INR 50 lacs or equivalent in any foreign currency for each project during the last three financial years Duly signed & stamped copies of supporting purchase orders for all projects along with work completion certificates from the client 10
7. The organization should have at least 40 Information Security professional on their payroll for the last 2 years Declaration on letterhead by HR 8. The organization should have commercial license of at least 3 security assessment tools including vulnerability assessment and application testing automated tools Copies of license agreements of these tools 9. The bidder should have at least 10resources with 2 or more security certification such as CEH/CISSP/CISA/OWASP/OSCP/GIAC certifications as on bid submission date Declaration on letterhead by HR 10. The bidder must have a Positive Net Worth for the last 3 financial years Duly signed & stamped CA certificate 11. The bidder must have a GST registration number Duly signed & stamped copies of relevant certificates of registration 12. Bidder must have a valid PAN Duly signed & stamped copy of PAN card / certificate 13. The bidder must be a single legal entity/ individual organization. Consortium shall not be allowed. Undertaking signed by authorized signatory 14. The bidder must have filed its Income Tax Returns for the last 3 financial years Duly signed and stamped copies of Income Tax Returns Digitally signed ITR may be provided 15. To confirm in Yes or No, whether the bidder falls under the Micro, Small and Medium Enterprises Development Act, 2006. If yes, a duly signed & stamped copy of the registration Certificate must be provided to NICSI. Further, NICSI must be kept informed of any change to the status of the company as per the mentioned act. 16. The bidder must be ISO 9001:2008 and ISO 27001: 2013 certified Bidder should submit copies of these certifications 11
ANNEXURE 2. BIDDER S PROFILE S. No. Particulars i. Name of the Bidder ii. Type of Incorporation (Sole Proprietor/ Partnership/ Private Limited/ Limited Firm) iii. Year of Incorporation iv. Place of Incorporation v. Whether any Legal/Arbitration proceedings have been instituted against the Bidder or the Bidder has lodged any claim in connection with works carried out by them. Mention Yes/No. If yes, please give details. vi. GST No.: vii. PAN No.: viii. Full Address ix. Name of the contact person with designation x. Turnover from sales in each of the last 3 financial years Description Name: Designation: Contact Number(Landline): Contact Number(Mobile): Email Address: Complete Communication Address: Signature: Name: Date: Place: Seal 12