REPCO HOME FINANCE LIMITED

Similar documents
Quotation Call Letter for the supply and installation of Desktop Computers for Corporate Office and various branch offices located across the country.

II. REQUIREMENT DETAILS

REQUEST FOR EXPRESSIONS OF INTEREST

Request for Proposal (RFP)

ADMINISTRATION DEPARTMENT TENDER FOR RENEWAL OF EXISTING KASPERSKY ANTIVIRUS TOTAL SECURITTY FOR BUSINESS LICENSES FOR USE AT NIT KARACHI

IDBI BANK LIMITED IDBI TOWER, WTC COMPLEX, CUFFE PARADE MUMBAI

TENDER FOR RENEWAL OF EXISTING KASPERSKY ANTIVIRUS LICENSES FOR USE AT NIT, KARACHI

Information Security Controls Policy

Information Technology General Control Review

RFP FOR INFORMATION SYSTEM AUDIT

Data Sheet The PCI DSS

Position Description IT Auditor

Security In A Box. Modular Security Services Offering - BFSI. A new concept to Security Services Delivery.

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Odisha Urban Infrastructure Development Fund

C106: DEMO OF THE INFORMATION SECURITY MANAGEMENT SYSTEM - ISO: 27001:2005 AWARENESS TRAINING PRESENTATION KIT

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

NYDFS Cybersecurity Regulations

SFC strengthens internet trading regulatory controls

Tender Schedule No. Figure: Active-Active Cluster with RAC

SPECIFIC PROCUREMENT NOTICE IT SERVICES

CORRIGENDUM. Corrigendum to RFP No. SBI/GITC/PMD/ /402 dated

DENA BANK INFORMATION TECHNOLOGY DEPARTMENT, HO, MUMBAI.

The Common Controls Framework BY ADOBE

up of SPMU in States/UTs under NeGP A

DIPLOMA COURSE IN INTERNAL AUDIT

Audit & Inspection Department - Head Office: Manipal. Empanelment of CISA qualified individuals on Contract Basis for conducting IS Audits

available in India to be conducted for the following application vs

Public Safety Canada. Audit of the Business Continuity Planning Program

Tiger Scheme QST/CTM Standard

IPC Certification Scheme IPC QMS/EMS Auditors

Zero Defect Zero Effect (ZED) Certification Scheme Rating Process

01.0 Policy Responsibilities and Oversight

MIS Week 9 Host Hardening

IoT & SCADA Cyber Security Services

SAMPLE REPORT. Business Continuity Gap Analysis Report. Prepared for XYZ Business by CSC Business Continuity Services Date: xx/xx/xxxx

ISO/IEC INTERNATIONAL STANDARD

INFORMATION TECHNOLOGY AUDIT &

Terms of Reference for the Design, Development, Testing and Commissioning of a National Address Database for Malawi

Manchester Metropolitan University Information Security Strategy

Twilio cloud communications SECURITY

Chapter 8: SDLC Reviews and Audit Learning objectives Introduction Role of IS Auditor in SDLC

Cybersecurity & Privacy Enhancements

Vulnerability Assessments and Penetration Testing

Request For Quotation from Service Providers. for. Appointment of Consultant for Migration to ISO/IEC 27001:2013 alongwith Implementation for UTIITSL

Objectives of the Security Policy Project for the University of Cyprus

Pre Bid Query Response. Request for Proposal for Procurement of Cloud Services

REPORT 2015/149 INTERNAL AUDIT DIVISION

OWASP RFP CRITERIA v 1.1

CCISO Blueprint v1. EC-Council

Enclosed the reply to your queries to RFP Invitation for Expression of Interest (EOI) for providing Security

SECURITY & PRIVACY DOCUMENTATION

locuz.com SOC Services

Development Authority of the North Country Governance Policies

Automating the Top 20 CIS Critical Security Controls

The Honest Advantage

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

INVITATION OF BIDS FOR TENDER

Protecting your data. EY s approach to data privacy and information security

RFQ OIT-1 Q&A. Questions and Answers, in the order received.

Request for Quotations

Choosing the Right Solution for Strategic Deployment of Encryption

Request For Quotation from Service Providers. for

SWIFT Customer Security Controls Framework and self-attestation via The KYC Registry Security Attestation Application FAQ

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

KENYA SCHOOL OF GOVERNMENT EMPLOYMENT OPORTUNITY (EXTERNAL ADVERTISEMENT)

FDIC InTREx What Documentation Are You Expected to Have?

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

The Learner can: 1.1 Describe the common types of security breach that can affect the organisation, such as:

CompTIA Cybersecurity Analyst+

STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA FAYETTEVILLE STATE UNIVERSITY

EXAM PREPARATION GUIDE

Penetration testing.

What every IT professional needs to know about penetration tests

ITG. Information Security Management System Manual

EU General Data Protection Regulation (GDPR) Achieving compliance

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Please refer the detailed category list enclosed.

Request for Proposal HIPAA Security Risk and Vulnerability Assessment. May 1, First Choice Community Healthcare

Indian Institute of Technology Kanpur Samtel Centre for Display Technologies

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

ISO/IEC INTERNATIONAL STANDARD

Layer Security White Paper

t a Foresight Consulting, GPO Box 116, Canberra ACT 2601, AUSTRALIA e foresightconsulting.com.

IT MANAGER PERMANENT SALARY SCALE: P07 (R ) Ref:AgriS042/2019 Information Technology Manager. Reporting to. Information Technology (IT)

ROLE DESCRIPTION IT SPECIALIST

RFP/RFI Questions for Managed Security Services. Sample MSSP RFP Template

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

REQUEST FOR PROPOSAL (RFP)

Checklist: Credit Union Information Security and Privacy Policies

External Supplier Control Obligations. Cyber Security

Chapter 4 EDGE Approval Protocol for Auditors Version 3.0 June 2017

WHITE PAPER- Managed Services Security Practices

SECTION 10 CONTRACTING FOR PROFESSIONAL SERVICES CONSULTANT COMPETITIVE NEGOTIATION ACT (CCNA)

Business Continuity Management Standards A Side-by-Side Comparison

ISO/ IEC (ITSM) Certification Roadmap

WORKSHARE SECURITY OVERVIEW

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Chapter 5: Vulnerability Analysis

Transcription:

REPCO HOME FINANCE LIMITED REQUEST FOR PROPOSAL FOR CONDUCTING VULNERABILITY ASSESSMENT AND PENETRATION TESTING EDP Department Corporate Office Repco Home Finance Ltd., Alexander Square Third Floor, New No : 2,Old No : 34/35, Sardar Patel Road, Guindy, Chennai - 600032. Phone : (044) - 42106650 / 42106652, Mobile : 9884835519 Fax : (044) - 42106651, E-mail : edp@repcohome.com Page 1 of 8

The consultants conducting VAPT should be Certified penetration testers and their registrationcertificate should be currently valid.( Attach proof) I. ABOUT REPCO HOME FINANCE LTD (RHFL): RHFL is a professionally managed housing finance company, head quartered in Chennai, Tamil Nadu. The company was incorporated in April 2000 to tap the growth potential in the housing finance market. We had been registered with National Housing Bank. As of now, RHFL is operating through 141 branches and 24 satellite centres in Tamil Nadu, Andhra Pradesh, Telengana, Jharkhand, Kerala, Karnataka, Maharashtra, Madhya Pradesh, Gujarat, Odisha, West Bengal and Puducherry. II. OBJECTIVE RHFL wishes to engage competent Service Provider (SP) for carrying out Vulnerability Assessment and Penetration Testing of internet facing applications and underlying infrastructure deployed at RHFL s Data Centre in Chennai, Disaster Recovery Centre in Bangalore, and 5 identified branches. Based on the contents of the RFP, the selected Bidder shall be required to independently arrive at approach and methodology, based on industry best practices and RBI guidelines, suitable for RHFL, after taking into consideration the effort estimate for completion of the same and the resource and the equipment requirements. The approach and methodology will be approved by RHFL. RHFL expressly stipulates that the Consultant s selection under this RFP is on the understanding that this RFP contains only the principal provisions for the entire assignment and that delivery of the deliverables and the services in connection therewith are only a part of the assignment. The selected Bidder shall be required to undertake to perform all such tasks, render requisite services and make available such resources as may be required for the successful completion of the entire assignment at no additional cost to RHFL. III. REQUIREMENT SPECIFICATION: SCOPE Vulnerability Assessment and Penetration Testing should cover RHFL s Information System Infrastructure which includes Networking systems, Security devices, Servers, Databases, Applications, Systems accessible with public IP s, etc. Selected bidder should carry out an assessment of Threat & Vulnerabilities assessments and assess the risks in RHFL s Information Technology Infrastructure. This will include identifying existing threats, if any, and suggest remedial solutions and recommendations of the same to mitigate all identified risks, with the objective of enhancing the security of Information Systems. In addition to the remote Assessment, selected Bidder shall also perform the onsite assessment of the assets under the Scope of the RFP. VAPT activities: VAPT should be comprehensive but not limited only to the following activities: Network Scanning Port Scanning System Identification & Trusted System Scanning Vulnerability Scanning Malware Scanning Spoofing Scenario Analysis Application Security Testing & Code Review OS Fingerprinting Service Fingerprinting Access Control Mapping Denial Of Service (DOS) Attacks DDOS Attacks Authorization Testing Lockout Testing Password Page 2 of 8

Cracking Cookie Security Functional validations Containment Measure Testing War Dialing DMZ Network Architecture Review Firewall Rule Base Review Server Assessment (OS Security Configuration) Security Device Assessment Network Device Assessment Database Assessment Website Assessment (Process) Vulnerability Research & Verification IDS/IPS review & Fine tuning of Signatures Man in the Middle attack Man in the browser attack Any other attacks. Broad Details of the systems are given below: Device Type Quantity(DC) Quantity(DR) Servers 14 3 Database 3 0 Network Devices 3 2 Security Devices 1 1 Storage Devices 1 0 VAPT External IPs 1 1 VAPT Internal IPs 15 4 List of Applications: Core Banking Solution Loan Originating System VAPT Phases: Vendor has to undertake VAPT/Security testing in phased manner as described below Phase I: Conduct VAPT/Security testing as per the scope, Evaluation & Submission of Preliminary Reports of findings and discussions on the finding. Phase II: Submission of Final Report Phase I a. Conduct VAPT as per the scope defined in RFP without disturbing operations RHFL will call upon the selected Bidder, on placement of the order, to carry out demonstration and/or walkthrough, and/or presentation and demonstration of all or specific aspects of the VAPT activity. VAPT schedule to be provided 7 working days prior to the start of activity along with the team member details. A dedicated Project Manager shall be nominated, who will be the single point of contact for VAPT Activity in Chennai and other locations. Execute Vulnerability Assessment and Penetration testing of RHFL s IT Infrastructure and Applications as per the scope on the written permission of RHFL and in the presence of RHFL s Officials. Page 3 of 8

b. Detailing the Security Gaps Detailing the System setup used and the tests conducted in assessment. Analysis of the findings and Document the security gaps i.e. vulnerability, security flaws, loopholes, threats, etc. observed during the course of the VAPT activity as per the scope of work. Document recommendations and solutions for addressing these security gaps and categorize the identified security gaps based on their criticality. Chart a roadmap for RHFL to ensure compliance and address these security gaps. c. Addressing the Security Gaps Recommend Actionable fixes for systems vulnerabilities in design or otherwise for application systems and network infrastructure. If recommendations for Risk Mitigation /Removal could not be implemented as suggested, alternate solutions to be provided. Suggest changes/modifications in the Security Policies implemented along with Security Architecture including Network and Applications of RHFL to address the same. The Draft report of the VAPT findings should be submitted to RHFL for Management comment. Phase II a. Submission of Final Reports The Service Provider should submit the final report of VAPT findings as per the report format mentioned in Deliverables. All the VAPT reports submitted should be signed by technically qualified persons and he/she should take ownership of document and he/she is responsible and accountable for the document/report submitted to RHFL. The final report has to be submitted within 15days of submission of the initial draft report. Service provider will also submit the Executive Summary Report of RHFL s Internet facing environment. b. Acceptance of the Report The Report shall be accepted on complying with the formats of VAPT Report as mentioned in the RFP and acceptance of the audit findings. Deliverables: The deliverables for VAPT activity are as follows: a. Execution of Vulnerability Assessment and Penetration Testing for the identified network devices, security devices, servers, applications, websites, interfaces(part of application) etc. as per the Scope mentioned in this RFP and Analysis of the findings and guidance for resolution of the same b. VAPT Report The VAPT Report should contain the following: Identification of Auditee (Address& contact information) Dates and Locations of VAPT Page 4 of 8

Terms of reference Standards followed Summary of audit findings including identification tests, tools used and results of tests performed (like vulnerability assessment, penetration testing, application security assessment, website assessment, etc.) Tools used and methodology employed Positive security aspects identified List of vulnerabilities identified Description of vulnerability Risk rating or severity of vulnerability Category of Risk: Very High / High / Medium / Low Test cases used for assessing the vulnerabilities Illustration of the test cases Applicable screenshots. Analysis of vulnerabilities and issues of concern Recommendations for corrective action Personnel involved in the audit The Service Provider may further provide any other required information as per the approach adopted by them and which they feel is relevant to the audit process. All the gaps, deficiencies, vulnerabilities observed shall be thoroughly discussed with respective RHFL officials before finalization of the report. The VAPT Report should comprise the following sub reports: VAPT Report Executive Summary: The vendor should submit a report to summarize the Scope, Approach, Findings and recommendations, in a manner suitable for senior management. Selected Bidder will also detail the positive findings (No Gap found) for various tests conducted. VAPT Report Core Findings along with Risk Analysis: The vendor should submit a report bringing out the core findings of the VAPT conducted for network devices, security devices, servers and websites. VAPT Report Detailed Findings/Checklists: The detailed findings of the VAPT would be brought out in this report which will cover in details all aspects viz. identification of vulnerabilities/threats in the systems (specific to equipment/resources indicating name and IP address of the equipment with Office and Department name), identifications of threat sources, identification of Risk, Identification of inherent weaknesses, Servers/Resources affected with IP Addresses etc. Report should classify the observations into Critical /Non Critical category and asses the category of Risk Implication as VERY HIGH/HIGH/MEDIUM/LOW RISK based on the impact. The various checklist formats, designed and used for conducting the VAPT activity as per the scope, should also be included in the report separately for Servers (different for different Page 5 of 8

OS), application, Network equipment, security equipment etc, so that they provide minimum domain wise baseline security standard /practices to achieve a reasonably secure IT environment for technologies deployed by RHFL. The Reports should be substantiated with the help of snap shots/evidences /documents etc. from where the observations were made. VAPT Report In Depth Analysis of findings /Corrective Measures & Recommendations along with Risk Analysis: - The findings of the entire VAPT Process should be critically analysed and controls should be suggested as corrective /preventive measures for strengthening / safeguarding the IT assets of RHFL against existing and future threats in the short /long term. Report should contain suggestions/recommendations for improvement in the systems wherever required.if recommendations for Risk Mitigation /Removal could not be implemented as suggested, alternate solutions to be provided. Also, if the formal procedures are not in place for any activity, evaluate the process and the associated risks and give recommendations for improvement as per the best practices. Documentation Format: All documents will be handed over in three copies, signed, legible, neatly and robustly bound on A-4 size, good-quality paper. Soft copies of all the documents properly encrypted in MS Word /MS Excel /PDF format also to be submitted in CDs/DVDs along with the hard copies. All documents shall be in plain English. Adherence to Standards: The vendor should use the latest ISO27001 and PCI-DSS standards, RBI and Cert-In Guidelines in carrying out task as per Scope of Work. The vendor should adhere to all the applicable laws of land and rules, regulations and guidelines prescribed by various regulatory, statutory and Government authorities. Estimated work plan and time schedules for providing services for this assignment. Effort estimate and elapsed time are to be furnished. Details of inputs, infrastructure requirements required by the Vendor to execute this assignment. Details of the Vendor s proposed methodology/approach with reference to the scope of work. IV. PRE-QUALIFICATION CRITERIA 1. Partnership Firm/ Public or Private Limited Company / Government Institutions / Public Sector / Private Companies / Any other entity, those have completed 5 years of business after the date of incorporation of business. 2. Minimum turnover of Rs.2 crores in any two years of last three financial years. 3. Applicant must be an RBI / Cert-in registered person with good credentials. Page 6 of 8

4. They must have performed VAPT in any Govt Institutions / Public sector Banks / private sector Banks / large corporate across the country. A satisfactory work completion letter from the customer has to be provided. 5. The applicants must have their Corporate Office / branch office in Chennai. 6. The participating vendors should submit a declaration that they have not been blacklisted by any organization elsewhere. V. Method of Submission: Details required, if any, can be collected from Mr. Pandiarajan K, AGM, EDP Dept at 044 42106650 or by person on any working day between 10 AM and 5 PM or email to edp@repcohome.com. A large size cover containing the following Technical and Commercial details should be submitted to Chief Operating Officer in Corporate Office. 1. Technical details clearly describing the company profile, past work history with client list, proof of eligibility criterion should be submitted in a sealed envelope super scribing the envelope with Technical Proposal for conducting Vulnerability Assessment and Penetration Testing. 2. The Commercial Proposal should be submitted in another sealed envelope super scribing the envelope with Commercial Proposal for conducting Vulnerability Assessment and Penetration Testing. Both the sealed envelopes should be submitted to the following address in a large size sealed envelope super scribing with Proposal For conducting Vulnerability Assessment and Penetration Testing, on or before 06-11-2018, 05:00 pm by Speed Post/Courier. The Chief Operating Officer, Repco Home Finance Ltd., III Floor, Alexander Square, #2, Sardar Patel Road, Guindy, Chennai - 600 032. Proposals can also be dropped in the box available at the Corporate Office within the working hours on or before 06-11-2018, 5.00PM After the closing date, the envelope containing the Technical proposal will be unsealed first by RHFL s Technical / Purchase Committee. The envelope containing the Commercial proposal will be unsealed only if the Technical proposal submitted by the vendor consists of the specification details as mentioned in Requirement Details and also the submission of necessary documentary proof for the details mentioned in Pre-Qualification Criteria. If the cover does not contain Technical and commercial proposals in separate sealed envelopes, then the same will not be considered by our Purchase Committee and the cover will be returned back to the vendor. VI. Disclaimer: RHFL reserves the right not to consider the proposals submitted by any vendor without assigning any reason whatsoever. Bringing any outside influence will lead to disqualification. Page 7 of 8

VII. GRIEVANCE MECHANISM: Any Vendor participating in this process but aggrieved by the decision of the Company may submit his/her representation in writing (within 10 days of completion of the process) to: The Chief Operating Officer, REPCO HOME FINANCE LTD, Third Floor, Alexander Square, New No: 2, Sardar Patel Road, Guindy, Chennai - 600 032. Page 8 of 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback