1 1.2.3. Review/ Audit of Please mention which of the in-scope applications are deployed in India visà-vis, Test system will be the international locations and whether the test systems for all the in- Business Software available in India to be conducted for the following application vs scope applications will be available to the auditor in India for performing the test work Territory : 2 Section 11 (Pt no. 11a) Please let us know if we can provide a bank guarantee of INR 50,000 as the NO Earnest Money Deposit in lieu of the Demand Draft 3 Section 1.2.2..A. Threat & Vulnerability Analysis audit of customer facing Web based Please provide us the following details related to the scope of the vulnerability assessment / penetration testing to be performed: 1. Number of external facing IP addresses / URLs for which the ethical hacking / penetration testing is to be performed 2. With respect to the ethical hacking, please clarify if the testing needs to be done as black box (without any credentials) or as a limited knowledge test (username/password to be provided by the bank for the respective applications) 3. Number and model of the routers, switches and perimeter security devices for which the vulnerability assessment is to be performed 4. Details on the IT infrastructure for which the security parameter review / vulnerability assessment is to be performed as provided below: 1 Name Location(s) where application is hosted Information on servers in-scope for VA (including primary, standby, DR etc) Number and operating system version of application servers Number and operating system version of database servers Informat in-sc prim Number of the da 1. Will be available during review. 2. SP has to conduct Black box and grey box testing 3. Will be available during review. However assumption can be made by load of 3000 Plus branches and 21 foreign territory. 4. Refer point no 1.2.3. Actual Details of IT infrastructure will be available during actual review.
4 1.2.2.B) Security and controls review of the ATM, Internet Banking, On-line Please provide us details on the number and type of interfaces in the IT environment of the Bank: Details will be available during review. Trading, Cash Management, Depository services and Name of interface Purpose (Nature of information passing Source Destination Ty Channel banking through the (M Encompassing interface etc) A 1.2.3. Review/ Audit of Business Software to be conducted for the following application vs Territory 1.2.4 For the banking 5 1.2.2..A. Threat & Vulnerability Analysis audit of customer facing Web based 1 The following items in the RFP for Selection of service provider for conducting comprehensive audit of banking application systems (India and foreign territories) under Section 1.2.2.A are similar to the items in the RFP for Selection of service provider for conducting comprehensive audit of IT infrastructure (DC / DRC) under section 2.2.2(b) and 2.2.2(c). Similar items in scope of work of the 2 RFPs Selection of service provider for conducting comprehensive audit of banking application systems (India and foreign territories) Selection of service provider fo comprehensive audit of IT infr DRC) The Points covered in 1.2.2. A are for Conducting Vulnerability Assessment for all Web Facing applications which is required to be carried out in addition to the scope referred in the RFP of Infrastructure review (2.2.2 (a,b,c,i). Please Note that Both are mutually exclusively.
Section Items in the scope of work Section Items in the scope of work 1 1.2.2.A Review of security assessment of the technology platforms at the Data Center Review of security and parameter setting for all IT Infrastructure within the Data Centre including review of Placement of security equipments, network equipments for securing database, application, web servers of various applications housed at Data Centre Switch Diagnostic review Router Diagnostic review Switch Diagnostic review 2.2.2(b) 2.2.2(c) Vulnerabilities in OS are being taken care off. Compensatory controls for known vulnerabilities are in place Review of Operating system and Database Hardening and document verification of OS/DB Hardening Conduct an internal vulnerability assessment for reviewing the database security setting Review of switches, routers configuration, scalability and port management. 2 1.2.2.A Review of Configuration and Monitoring of logs of Intrusion Prevention System, firewalls and response capabilities Review of periodic analysis of logs to bring in changes to the security posture to mitigate risks from newly identified threats Check for existence of proper guidelines to retire any infrastructure. It is to be ensured that the data on such asset is backed up and is removed from the asset before it is retired. Data that becomes inconsequential or irrelevant due to various factors must be archived using a proper archival mechanism. Data, which needs to be destroyed, 2.2.2(c) 2.2.2(a) Monitoring of logs (i.e trace log, CDCI Logs, fatal logs, archive logs, SU logs, Syslog, alert log, last log, application log, Security log, System log, File retention logs, file replication service log, DNS Logs, IDS log, AIPS Logs, event Log, access log, ISS log, AV Log etc) Acquisition in DC/DR, installation, Up gradation, Movement, usage and disposal procedures
must be destroyed immediately and proper guidelines need to be defined as a process for the same. 3 1.2.2.A Pro-active virus prevention and detection procedures are in place and implemented. Virus definitions are updated regularly Procedures for monitoring of Updation of virus definitions 2.2.2(i) 2.2.2.(i) Others - Review of anti virus 6 1.2.5 Core Banking Solution- Finacle : Domestic & International 7 1.2.5 Core Banking Solution- Finacle : Domestic & International 8 1.2.4 For the banking Please clarify under which RFP the Bank expects the service provider to perform vulnerability assessment / security review of the IT infrastructure including operating systems, database, networking devices (Routers / switches). As we are responding to both the RFPs, this clarification will help us include the effort estimates for the above activities in the relevant proposal. Please clarify if the service provider is expected to audit manual compensating controls for areas where systemic controls are determined to be inadequate Please clarify the name of all the modules of Finacle Core Banking solution that the Bank wishes to cover as part of the application controls review The scope of work includes the following items: 1. To review effectiveness and efficiency of the Software 2. To understand and appreciate the Strengths, Flexibility and Weakness of the all System as implemented and constraints imposed by system on user. 3. To review the Proper MIS reporting in case where manual control during life cycle of product. Please elaborate the expectations of the Bank with respect to these line All the Module as implemented in Bank of Baroda. As per standard audit & Review Process.
items 9 1.2.4 For the banking The scope of work includes Review of application response time from end user perspective in comparison with peer bank/ industry best practice. Please clarify the following points: 1. Which are the applications for which the application response time is to be tested by the service provider 2. Please list the peer banks that need to be considered for this particular point 3. Will the Bank provide the information on the peer bank / industry best practice as this information is not readily available in the public domain 1. Applicable to all application. 2. You may consider top 5 peer bank in India. 3. No, Bank will not provide the information. 10 1.2.4 For the banking The scope of work includes To Review application control of all data upload/download. Please mention the number of instances of data upload/download which need to be reviewed 11 Clause 4 point no. 3 on page 4 : vendor has asked his Balance sheet and Profit & Loss Account Statement do not carry a head that identifies the income earned from consulting and testing services. However, Vendor is in the business of consulting and testing and therefore, the revenue of the vendor can be attributed to consulting and testing. Please confirm if a self declaration along with the P&L account statements would suffice Will be provided during review. Vendor to Submit Certificate from his auditor that his income from Consulting and testing services is more than 25% of his gross Revenue 12 Clause 1.1 paragraph 3 on page 18: The paragraph reads The selected service provider is required to provide service of comprehensive audit including the following services: performance testing (PT), optimization testing, high availability testing, scalability testing with reference to the four core architectural principles performance, scalability, high availability, investment protection. Please confirm that BoB wants the SP to review the methodology, planning The Service Provider has to conduct all test Independently irrespective of those done by System Integrator.
13 Clause 1.2.1 on page 19: 14 The second line on page 20 process and outcome of the above tests which the system integrator would have already performed while installing the banking application system, ie does not expect the SP to perform the tests as part of the proposed audit. Please confirm if BoB expects the SP to perform three VA/ PT tests at an interval of six months. - Review of periodic analysis of logs to bring in changes to the security posture to mitigate risks from newly identified threats. Does BoB have a defined framework to identify new threats and therefore identify resolution measures for the same? Please elaborate this point and clarify expectation from SP as part of the proposed audit., Bank has a defined framework and expects the recommendation for improvement in existing methodology. 15 Clause 1.2.2.B last line on page 20: a. This line leads the bidder to assume that BoB have a defined IT Risk Management Framework. Please confirm. b. If yes, will BoB share the complete IT Risk Management framework with the bidder? with the successful bidder. 16 Clause 1.2.2.B first line on page 21: c. Does BoB have defined security and control objectives? d. If yes, will BoB share these objectives with the selected SP? 17 Clause 1.2.3 on page 21 18 First line on page 22: 19 Point 6 on page 23: : Does BoB envisage any trips overseas? The line reads Review / audit of application which will be implemented in next 24 months. This is an open statement which makes effort estimate difficult. Please provide more specific information of which applications are going live in the next 24 months with a timeline for each respective application. The line reads Adherence to legal and statutory requirements. Please confirm if BoB shall provide a comprehensive list of legal and statutory requirements that the banking application system needs to adhere to, to the Please refer 1.2.3 Bank will provide the web site address details of the Banking Regulators of respective
selected SP for each of the international geographies. territory only. 20 Clause 11 on page 29: e. Please confirm that expenses accrued by the selected SP on travel outside of Mumbai, wherever necessary, shall be reimbursed by BoB and shall therefore, not be included by the SP in their commercial quotes. f. The clause mentions that the settlement of bills shall be done at mutually agreed rates. Please quantify the rates to avoid any miscalculation. yes Will be finalized with the successful bidder on case to case basis. 21 Is there any change in eligibility Criteria? No