available in India to be conducted for the following application vs

Similar documents
DENA BANK INFORMATION TECHNOLOGY DEPARTMENT, HO, MUMBAI.

RESERVE BANK OF INDIA

RFP FOR INFORMATION SYSTEM AUDIT

Standard CIP 007 3a Cyber Security Systems Security Management

Request for Proposal (RFP)

IDBI BANK LIMITED IDBI TOWER, WTC COMPLEX, CUFFE PARADE MUMBAI

Standard CIP 007 4a Cyber Security Systems Security Management

Security In A Box. Modular Security Services Offering - BFSI. A new concept to Security Services Delivery.

IC32E - Pre-Instructional Survey

ISO27001 Preparing your business with Snare

Standard CIP Cyber Security Systems Security Management

Checklist: Credit Union Information Security and Privacy Policies

locuz.com SOC Services

REQUEST FOR EXPRESSIONS OF INTEREST

Tiger Scheme QST/CTM Standard

PRE BID REPLIES FOR NPCI:RFP: /0020 DATED RFQ FOR SMS GATEWAY SERVICES FOR INTEGRATION WITH FRM SOLUTIONS

Manchester Metropolitan University Information Security Strategy

Juniper Vendor Security Requirements

Information Security Continuous Monitoring (ISCM) Program Evaluation

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.

Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring

Network Security Review Approach. Network Security Approach Page 1

RFQ OIT-1 Q&A. Questions and Answers, in the order received.

Vulnerability Assessments and Penetration Testing

Pre Bid Query Response. Request for Proposal for Procurement of Cloud Services

CCISO Blueprint v1. EC-Council

Payment Card Industry Internal Security Assessor: Quick Reference V1.0

Google Cloud Platform: Customer Responsibility Matrix. April 2017

REPCO HOME FINANCE LIMITED

DIPLOMA COURSE IN INTERNAL AUDIT

POLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND. October Table of Contents

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Request for Proposal (RFP) for setting up a Security Operations Centre (SOC), SIEM and Security Tools Implementation

Objectives of the Security Policy Project for the University of Cyprus

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

RFQ OIT-1 Q&A. Questions and Answers, in the order received.

PCI Time-Based Requirements as a Starting Point for Business-As-Usual Process Monitoring

Appendix 12 Risk Assessment Plan

Industry Classification Methodology Guide. ISE Cyber Security Industry Classification

Information Technology General Control Review

Google Cloud Platform: Customer Responsibility Matrix. December 2018

Standard CIP Cyber Security Systems Security Management

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Canada Life Cyber Security Statement 2018

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

Technical Reference [Draft] DRAFT CIP Cyber Security - Supply Chain Management November 2, 2016

Request for Proposal HIPAA Security Risk and Vulnerability Assessment. May 1, First Choice Community Healthcare

Protecting your data. EY s approach to data privacy and information security

Training of Trainers (TOT) Process Note SCOPE: Training of Trainers - RASCI Certified Trainers/ Experienced Trainers/ Fresh Trainers

ADIENT VENDOR SECURITY STANDARD

Standard CIP Cyber Security Critical Cyber Asset Identification

Standard CIP Cyber Security Critical Cyber Asset Identification

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

Appendix 12 Risk Assessment Plan

Global Security Consulting Services, compliancy and risk asessment services

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Nebraska CERT Conference

Certified Information Systems Auditor (CISA)

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

Vol. 1 Technical RFP No. QTA0015THA

PCI Compliance Assessment Module with Inspector

CIP Cyber Security Configuration Management and Vulnerability Assessments

Sub : ADDENDUM/CORRIGENDUM for Request for Proposal for Providing Managed Networking Solutions using SDWAN Technology for ESIC Offices across India

Training of Trainers (TOT) Process Note SCOPE: Training of Trainers - RASCI Certified Trainers/ Experienced Trainers/ Fresh Trainers

Canadian Technology Accreditation Criteria (CTAC) COMPUTER SYSTEMS TECHNOLOGY - TECHNICIAN Technology Accreditation Canada (TAC)

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

INTERNATIONAL STANDARD

BOT Notification No (1 September 2017)-check

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

ISO/IEC Information technology Security techniques Code of practice for information security controls

Critical Cyber Asset Identification Security Management Controls

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

Information technology Security techniques Requirements for bodies providing audit and certification of information security management systems

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

EXAM PREPARATION GUIDE

Autobot - IoT enabled security. For Private circulation only October Risk Advisory

Chapter 8: SDLC Reviews and Audit Learning objectives Introduction Role of IS Auditor in SDLC

Critical Infrastructure Protection for the Energy Industries. Building Identity Into the Network

Reference Bidders Query RECTPCL response. 1. Kindly confirm the total No of Instances required?

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

The CEH exam (312-50) is available at the ECC Exam Centre and Pearson Vue testing centers.

CLARIFICATION/AMENDMENTS REQUEST FOR PROPOSAL (RFP) FOR SUPPLY, IMPLEMENTATION AND MAINTENANCE OF SOLUTION

Vendor Security Questionnaire

Corrigendum regarding Tender Document for providing three year licenses, installation, configuration, deployment,

SCO Audit Tales. Chapter II Sonoma State University

Information Technology Procedure IT 3.4 IT Configuration Management

Cyber security tips and self-assessment for business

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Twilio cloud communications SECURITY

Information Security Policy

Business Accounts and Cash Management Solutions. Digital Deposit. Product Guide

FDIC InTREx What Documentation Are You Expected to Have?

CORRIGENDUM. Corrigendum to RFP No. SBI/GITC/PMD/ /402 dated

TENDER FOR RENEWAL OF EXISTING KASPERSKY ANTIVIRUS LICENSES FOR USE AT NIT, KARACHI

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

TELECOMMUNICATIONS AND DATA CABLING BUSINESSES

Transcription:

1 1.2.3. Review/ Audit of Please mention which of the in-scope applications are deployed in India visà-vis, Test system will be the international locations and whether the test systems for all the in- Business Software available in India to be conducted for the following application vs scope applications will be available to the auditor in India for performing the test work Territory : 2 Section 11 (Pt no. 11a) Please let us know if we can provide a bank guarantee of INR 50,000 as the NO Earnest Money Deposit in lieu of the Demand Draft 3 Section 1.2.2..A. Threat & Vulnerability Analysis audit of customer facing Web based Please provide us the following details related to the scope of the vulnerability assessment / penetration testing to be performed: 1. Number of external facing IP addresses / URLs for which the ethical hacking / penetration testing is to be performed 2. With respect to the ethical hacking, please clarify if the testing needs to be done as black box (without any credentials) or as a limited knowledge test (username/password to be provided by the bank for the respective applications) 3. Number and model of the routers, switches and perimeter security devices for which the vulnerability assessment is to be performed 4. Details on the IT infrastructure for which the security parameter review / vulnerability assessment is to be performed as provided below: 1 Name Location(s) where application is hosted Information on servers in-scope for VA (including primary, standby, DR etc) Number and operating system version of application servers Number and operating system version of database servers Informat in-sc prim Number of the da 1. Will be available during review. 2. SP has to conduct Black box and grey box testing 3. Will be available during review. However assumption can be made by load of 3000 Plus branches and 21 foreign territory. 4. Refer point no 1.2.3. Actual Details of IT infrastructure will be available during actual review.

4 1.2.2.B) Security and controls review of the ATM, Internet Banking, On-line Please provide us details on the number and type of interfaces in the IT environment of the Bank: Details will be available during review. Trading, Cash Management, Depository services and Name of interface Purpose (Nature of information passing Source Destination Ty Channel banking through the (M Encompassing interface etc) A 1.2.3. Review/ Audit of Business Software to be conducted for the following application vs Territory 1.2.4 For the banking 5 1.2.2..A. Threat & Vulnerability Analysis audit of customer facing Web based 1 The following items in the RFP for Selection of service provider for conducting comprehensive audit of banking application systems (India and foreign territories) under Section 1.2.2.A are similar to the items in the RFP for Selection of service provider for conducting comprehensive audit of IT infrastructure (DC / DRC) under section 2.2.2(b) and 2.2.2(c). Similar items in scope of work of the 2 RFPs Selection of service provider for conducting comprehensive audit of banking application systems (India and foreign territories) Selection of service provider fo comprehensive audit of IT infr DRC) The Points covered in 1.2.2. A are for Conducting Vulnerability Assessment for all Web Facing applications which is required to be carried out in addition to the scope referred in the RFP of Infrastructure review (2.2.2 (a,b,c,i). Please Note that Both are mutually exclusively.

Section Items in the scope of work Section Items in the scope of work 1 1.2.2.A Review of security assessment of the technology platforms at the Data Center Review of security and parameter setting for all IT Infrastructure within the Data Centre including review of Placement of security equipments, network equipments for securing database, application, web servers of various applications housed at Data Centre Switch Diagnostic review Router Diagnostic review Switch Diagnostic review 2.2.2(b) 2.2.2(c) Vulnerabilities in OS are being taken care off. Compensatory controls for known vulnerabilities are in place Review of Operating system and Database Hardening and document verification of OS/DB Hardening Conduct an internal vulnerability assessment for reviewing the database security setting Review of switches, routers configuration, scalability and port management. 2 1.2.2.A Review of Configuration and Monitoring of logs of Intrusion Prevention System, firewalls and response capabilities Review of periodic analysis of logs to bring in changes to the security posture to mitigate risks from newly identified threats Check for existence of proper guidelines to retire any infrastructure. It is to be ensured that the data on such asset is backed up and is removed from the asset before it is retired. Data that becomes inconsequential or irrelevant due to various factors must be archived using a proper archival mechanism. Data, which needs to be destroyed, 2.2.2(c) 2.2.2(a) Monitoring of logs (i.e trace log, CDCI Logs, fatal logs, archive logs, SU logs, Syslog, alert log, last log, application log, Security log, System log, File retention logs, file replication service log, DNS Logs, IDS log, AIPS Logs, event Log, access log, ISS log, AV Log etc) Acquisition in DC/DR, installation, Up gradation, Movement, usage and disposal procedures

must be destroyed immediately and proper guidelines need to be defined as a process for the same. 3 1.2.2.A Pro-active virus prevention and detection procedures are in place and implemented. Virus definitions are updated regularly Procedures for monitoring of Updation of virus definitions 2.2.2(i) 2.2.2.(i) Others - Review of anti virus 6 1.2.5 Core Banking Solution- Finacle : Domestic & International 7 1.2.5 Core Banking Solution- Finacle : Domestic & International 8 1.2.4 For the banking Please clarify under which RFP the Bank expects the service provider to perform vulnerability assessment / security review of the IT infrastructure including operating systems, database, networking devices (Routers / switches). As we are responding to both the RFPs, this clarification will help us include the effort estimates for the above activities in the relevant proposal. Please clarify if the service provider is expected to audit manual compensating controls for areas where systemic controls are determined to be inadequate Please clarify the name of all the modules of Finacle Core Banking solution that the Bank wishes to cover as part of the application controls review The scope of work includes the following items: 1. To review effectiveness and efficiency of the Software 2. To understand and appreciate the Strengths, Flexibility and Weakness of the all System as implemented and constraints imposed by system on user. 3. To review the Proper MIS reporting in case where manual control during life cycle of product. Please elaborate the expectations of the Bank with respect to these line All the Module as implemented in Bank of Baroda. As per standard audit & Review Process.

items 9 1.2.4 For the banking The scope of work includes Review of application response time from end user perspective in comparison with peer bank/ industry best practice. Please clarify the following points: 1. Which are the applications for which the application response time is to be tested by the service provider 2. Please list the peer banks that need to be considered for this particular point 3. Will the Bank provide the information on the peer bank / industry best practice as this information is not readily available in the public domain 1. Applicable to all application. 2. You may consider top 5 peer bank in India. 3. No, Bank will not provide the information. 10 1.2.4 For the banking The scope of work includes To Review application control of all data upload/download. Please mention the number of instances of data upload/download which need to be reviewed 11 Clause 4 point no. 3 on page 4 : vendor has asked his Balance sheet and Profit & Loss Account Statement do not carry a head that identifies the income earned from consulting and testing services. However, Vendor is in the business of consulting and testing and therefore, the revenue of the vendor can be attributed to consulting and testing. Please confirm if a self declaration along with the P&L account statements would suffice Will be provided during review. Vendor to Submit Certificate from his auditor that his income from Consulting and testing services is more than 25% of his gross Revenue 12 Clause 1.1 paragraph 3 on page 18: The paragraph reads The selected service provider is required to provide service of comprehensive audit including the following services: performance testing (PT), optimization testing, high availability testing, scalability testing with reference to the four core architectural principles performance, scalability, high availability, investment protection. Please confirm that BoB wants the SP to review the methodology, planning The Service Provider has to conduct all test Independently irrespective of those done by System Integrator.

13 Clause 1.2.1 on page 19: 14 The second line on page 20 process and outcome of the above tests which the system integrator would have already performed while installing the banking application system, ie does not expect the SP to perform the tests as part of the proposed audit. Please confirm if BoB expects the SP to perform three VA/ PT tests at an interval of six months. - Review of periodic analysis of logs to bring in changes to the security posture to mitigate risks from newly identified threats. Does BoB have a defined framework to identify new threats and therefore identify resolution measures for the same? Please elaborate this point and clarify expectation from SP as part of the proposed audit., Bank has a defined framework and expects the recommendation for improvement in existing methodology. 15 Clause 1.2.2.B last line on page 20: a. This line leads the bidder to assume that BoB have a defined IT Risk Management Framework. Please confirm. b. If yes, will BoB share the complete IT Risk Management framework with the bidder? with the successful bidder. 16 Clause 1.2.2.B first line on page 21: c. Does BoB have defined security and control objectives? d. If yes, will BoB share these objectives with the selected SP? 17 Clause 1.2.3 on page 21 18 First line on page 22: 19 Point 6 on page 23: : Does BoB envisage any trips overseas? The line reads Review / audit of application which will be implemented in next 24 months. This is an open statement which makes effort estimate difficult. Please provide more specific information of which applications are going live in the next 24 months with a timeline for each respective application. The line reads Adherence to legal and statutory requirements. Please confirm if BoB shall provide a comprehensive list of legal and statutory requirements that the banking application system needs to adhere to, to the Please refer 1.2.3 Bank will provide the web site address details of the Banking Regulators of respective

selected SP for each of the international geographies. territory only. 20 Clause 11 on page 29: e. Please confirm that expenses accrued by the selected SP on travel outside of Mumbai, wherever necessary, shall be reimbursed by BoB and shall therefore, not be included by the SP in their commercial quotes. f. The clause mentions that the settlement of bills shall be done at mutually agreed rates. Please quantify the rates to avoid any miscalculation. yes Will be finalized with the successful bidder on case to case basis. 21 Is there any change in eligibility Criteria? No

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback