CO:IS:Audit :2011-12:

Date: February 9, 2012

CLARIFICATIONS ON RFP FOR COMPREHENSIVE AUDIT FOR CBS PROJECT Following are the clarification for the points raised in the pre-bid meeting held on 06/02/2012 at Central Bank Of India, Audit Department , Bandra Kurla Complex (BKC) Mumbai with respect to our Tender No. CO: IS: 2011-12: for "Comprehensive Audit of CBS Project.
Sr. No 1 Reference Description CBS Application Audit 6.4 Queries Would a dedicated test environment be provided segregated from development and production environment with freeze of data and start of the audit date? Clarifications by Bank Yes

Study & review the implemented Please provide the list of modules. functionality of B@ncs24 core banking solution & allied modules in all the areas and to ensure correctness of functionality of each module & all modules in totality including parameterization with reference to the specifications given in the banks CBS RFP floated and the procedure of the bank for all the modules like Retail deposits, advances, Bills, lockers, MIS etc.

6.4.1

User Administration BGL Reconciliation Branch Accounting Branch Activities Branch Clearing Clearing and service Branch Collaterals and Guarantees Contingent Accounintg Currency Chest Current Accounts Customer Information facility Debt Collection Deposit Product Parameters Deposits Facilities and Limits Fees and charges Forex Remittance General Parameters Global Payments Gateway Loan Product Parameters Loan Tracking Loans Parameters and securities Remittances SC and DDP Safe Custody Parameter

6.4.6 and 6.4.7

6.4.9

6. Identify key functionalities not supported by the application. 7. Review effectiveness and efficiency of the Application. 9. Review of all Interface of application with other system OR interface of other system with applications for Security, accuracy, consistency and safety.

Please specify whether this is with respect to CBI CBS RFP requirements only. If not, what are parameters with respect to these points? Please provide the list of interfaces and type of interfaces with B@ncs24. For example: real time, STP, batch processing, manual

Standing orders VPIS This will as per CBS RFP / SLAs

1 ATMTCPSV 2 IBTCPSV 3 TFTCPSV 4 KSKTCPSV 5 CC0000 6 CC0060

ONLINE ONLINE ONLINE ONLINE ONLINE ONLINE

FOR ATM TXNS FOR INTERNET BANKING TXNS FOR EXIMBILLS TXNS FOR KIOSK TXNS FOR RECEIVING CALL CENTRE TXNS FOR SENDING MESSAGES TO CALL CENTRE TXNS

6.4.10

Review of other Controls

Review of other Controls

10. Identifying critical risk areas, control weakness in application systems and recommended corrective actions from security prospective 1. Review of user manuals, operating manuals and systems manuals and interface with menus, submenus and reports related to CBS, Oracle Apps and Trade Finance Solution, ChannelG & AML Turnaround time (TAT) required for each transaction Quality assurance management

Is this is specific to B@ncs24 application only? Does it imply that user manuals, operating manuals and systems manuals of B@ncs24, Oracle apps and trade finance solution have to be checked? TAT could differ with multiple scenarios. Would TAT based issues being faced in current state be provided? Is CBI ISO 9000 certified? If yes, do we

Part from B@ncs24, e-treasury, Internet Banking, Mobile Banking, GL Application. Exim Module . For details please refer to section 6 Scope of Work of the RFP. Yes

RFP/ SLA defined Vis--vis Actuals Bank is in the recommendation stage for ISO 27001 certification.

6.5

SCOPE OF WORK FOR BRANCH AUDIT SCOPE OF WORK FOR BRANCH AUDIT

6.5 Identity Management Also in DC audit they should also check application up/down time ( and various interfaces too) as there may be instance due to one reason or other the server and database may be up and application may be down and our user are not able to access the CBS system

6.6

need to review ISO 9000 documents? Could you please specify which branches are to be considered? Request you to please describe the following points: Review of assets safeguarding, data integrity Fraud risk factors Does the bank have any identity management tool installed? How many interfaces are there?

Yes, two local branches -Relates to Logical and physical security - Suggestion for Risk mitigation

No
1 ATMTCPSV 2 IBTCPSV 3 TFTCPSV 4 KSKTCPSV 5 CC0000 6 CC0060 ONLINE ONLINE ONLINE ONLINE ONLINE ONLINE FOR ATM TXNS FOR INTERNET BANKING TXNS FOR EXIMBILLS TXNS FOR KIOSK TXNS FOR RECEIVING CALL CENTRE TXNS FOR SENDING MESSAGES TO CALL CENTRE TXNS

6.6

6.7

6.7 6.7

To verify the adequacy, configuration and parameters of various security equipments such as Firewalls, IDS etc. deployed at Data Center,DRC, Network Aggregation points (NAP) for ensuring secured transactions. Network performance Vis--vis Banks CBS RFP The vendor identified will conduct Vulnerability Assessment (VA) against Servers and network

Please let us know how many devices are there.

No of network devices to be covered under audit at DC and DRC will be around 95.

Request you to please clarify and explain the requirements. Please let us know exact count of servers, network infrastructure components and security devices.

RFP/ SLA defined Vis--vis Actuals Total servers=130 .Out of that 25 are Inbound for which VAPT required. While for internal servers, VA is required.

6.7

6.7

6.7

infrastructure components to identify services in use and potential vulnerabilities The vendor identified will conduct Vulnerability Assessment (VA) against Servers and network infrastructure components to identify services in use and potential vulnerabilities ii) Configuration of all Network Equipment installed at DC,DRC & 2 branches should be verified for any Security threats iv) Access Control Every router / Switches/firewalls at DC,DRC should be checked for the following configuration standards: v) Penetration Testing

Please let us know the physical location of devices and servers also. Will the bank provide remote connection from Mumbai in order to connect servers and other devices outside Mumbai? No remote connection will be allowed. However Bank will provide a higher end PC , vendor can configure his tool for VA.

Please let us know exact count of network equipments with details. Please let us know exact count of routers, switches and firewalls with details. Scope for Penetration Testing is not explained; Please let us know number of devices/ IPs on which Penetration Testing is required to be conducted. Please explain the bank's requirement from Consultants/ Auditors.

Around 95 ( Both DC & DR)

Same as above

6.7 6.7 iii) Real-Time Monitoring/Analysis/Control Mechanisms An exhaustive list of reports to be generated regularly (every few minutes, hourly, daily, weekly) such as the following: Degradation in performance of any link below a threshold. Health of all services and generates

Total servers=130 .Out of that 25 are Inbound for which VAPT required. While for internal servers, VA is required. Bank will provide a higher end PC , vendor can configure his tool for VA and suggest improvements or any additional state-of-the art tools for pro-active real time monitoring

6.8

5.2

alarms on failures. Throughput on all critical paths (using dummy applications if needed). Calculate and produce round-trip times for applications (e.g. emails) between any chosen locations. Usage patterns (number of transactions) per application should be prepared. Suggestions for suitable state-of-the art tools for pro-active real time monitoring, analysis and control of the network traffic should also be given. 6.8 Call Centre Audit Is audit of Call Centre and its process to protect the Banks Information security Earnest Money Deposit Bidders are required to give a Demand Draft drawn in favor of Central Bank Of India, payable at Mumbai, (valid for 210 days from the due date of the tender) for Rs.50000/- (Rupees Fifty Thousand only) as Earnest money Deposit (EMD) along with their offer. Offers made without E.M.D. will be rejected. Central Bank Of India will not pay any interest on the E.M.D.
Database System

Request you to please explain the scope of IS Audit. Is VAPT required? If yes, please provide the details of Call Centre infrastructure. As per our banks policy and RBI guidelines DD cannot be valid for more than 180 days. Request you to please make it 180 days instead of 210 days.

VAPT is not required. Call centre is being operated purely on outsourced Model. Audit will have to check for Data confidentiality and outsourcing issues. To be addressed. Be treated as 180 days.

Page No. 25 -

We would like to know whether Configuration Audit / Vulnerability Assessment all the Database

VA is to be conducted for all the servers . While VAPT is to be conducted for inbound servers. Server count is given above.

systems in DC and DRC need to be conducted. Or we can take sample of critical Database in DC & DRC e.g. 10% of total database servers. We would like to know total number of Database servers in the scope. We would like to know whether Configuration Audit / Vulnerability Assessment all the Servers in DC and DRC need to be conducted. Or we can take sample of critical Servers in DC & DRC e.g. 10% of total servers. We would like to know total number of servers in the scope. Page No. 27 i) Network Vulnerability Assessment (VA) We would like to know whether Vulnerability Assessment all the Network Devices in DC and DRC need to be conducted. Or we can take sample of critical network devices in DC & DRC e.g. 10% of total devices. We would like to know total number of network devices in the scope. We would like know whether all the

Page No. 26 -

Operating System Security

Same as above

Yes

Page No. 29 -

Penetration Testing

VA is to be conducted for all the servers . While VAPT is to be

v) Penetration Testing

Servers and Network Devices in DC and DRC need to be covered for internal Penetration Testing. Or we can take sample of critical servers and network devices in DC and DRC e.g. 10% of total servers & Network devices. We would like to know number of external facing Public IP address.

conducted for inbound servers. Server count is given above

Page No. 29 v) Penetration Testing Page No. 29 v) Penetration Testing

Penetration Testing

25

Attempt to overload the system using DDoS & DoS

We would like to inform that DDOS and DOS attacks will not be carried out by us, but various measures to avoid these will be suggested during the course of audit. Please let us know. We would like to know whether compliance review / re test of initial activities needs to conducted by us.
There is no detailed scope given in the RFP. What areas need to be covered in this section - Application audit, process audit and infrastructure audit as well ? Also need to have additional information on Treasury management system (e-treasury) and any linkage with Treasury suite of applications being used by the bank.

Without conducting DOS, DDOS measures can not be suggested. Hence not acceptable.

Page No. 33 Submission of final compliance review report after Stage 4

.Audit of delivery channels Internet banking, Mobile banking (SMS/WAP) Treasury management (e-Treasury), ATM Switch, RTGS/NEFT.

Yes -Relates to IS audit. For detail, please refer o section 6 Scope of the Work of RFP. - E-treasury is linked to Banks CBS at GL Level.

.Audit of Call centre against RBI Outsourcing guidelines

Scope of work given in the detailed scope of work is - 1) IS audit of Call centre and its processes to protect the bank's Information security, and 2) Outsourcing Audit as per RBI outsourcing guidelines Does it include audit of software used for call centre operations, supporting infrastructure, data exchange controls, data encryption etc. Secondly for outsourced Audit as per RBI outsourcing guidelines - does bank expects only checklist audit ?

VAPT is not required. Call centre is being operated purely on outsourced Model. Audit will have to check for Data confidentiality and outsourcing issues to be addressed. There is no IS audit of Software / Hardwares. However report on virus updation will be required. Against RBI Outsourcing guidelines.

Audit of CTS Chennai against RBI outsourcing guidelines

Scope of work stipulated is - Audit of CTS Chennai against RBI outsourcing guidelines - Does it include only check list audit or also includes audit of CTS application, supporting infrastructure and processes including environmental controls as well. What shall be the audit location for Audit of CTS ?

It will be only IS audit and audit against RBI outsourcing guidelines, since CTS Chennai is totally outsourced. CTS Delhi is inhouse module, IS Audit of application (Black box), Network audit is to be done.

Would like to get you feedback on the same during pre-bid meeting

Conducting comprehensive audit of CBS project. For audit purpose CBS Application Software - B@ancs24 also

Will the audit include Source Code Audit / process audit / Security Infrastructure audit of the application? Does CBI have its own

No source code audit . Only Black box testing is required. The parameter of all the products deposit / advances / remittance etc. need to be checked in the system vis--vis Banks policies

include integrated module i.e. EximBills, Channel-G, Oracle Apps,AML Information System Audit of Two NAP one each at Hyderabad and Mumbai and 2 CBS branches

checklist that is to be followed for these audits or will it be prepared in accordance with the vendor. 1) Is VAPT also required as part of this exercise? If yes, then scoping/sizing information will be required(No. of servers / applications etc.) 2) Will Vulnerability Assessment be done against any specific policy / baseline? 1)Is the security audit for DC and DR to be done against any particular standards? 2) Will antivirus audit on desktops be done on a sampling basis. Does it include overall process audit (data flow from client end to bank infrastructure)? Or only the F.I. application Infrastructure. No. of servers? No. of Networking devices to be scanned? Frequency of scan required? How many desktops at each location? Will the audit be done on sampling basis?What will be the frequency of scan required? Will the scanning be done on sampling basis?What will be the frequency of scan required? Is Device Level Audit only required

Refer above

Conducting Security Audit of Data Center, Disaster Recovery Center and audit of anti-virus Financial Inclusion infrasture and application at DC & DR i) Network Vulnerability Assessment (VA) Desktop Security at branches, DC & DRC. Vulnerability scanning of desktop systems Validate following services for

Best practices and Banks IT Security policy

Audit of Infrastructure , application at DC and data transfer to FI vendors (to / from) Refer above

2 branches , 100% . Around 50 desktop at branch . For DC/DRC antivirus, availability of AMC, insurance and aspects related to physical security is to be checked. For all desktop in the branches. Internal devices / servers- VA

security, effectiveness and efficiency on all Network devices: Network Performance Analysis / Capacity Planning/ Performance Audit Process Management Audit:

for this? This is not a typical Application Audit, we request confirmation/ deletion on this point. Assumption: CBI has these process implemented and the vendor is expected Audit these process and tweaked as per industry best practices.

External devices / servers- VAPT This is network audit. Yes

1) Review of key processes related to the Network 2) Accounts / Identity Management 3) Help Desk, Complaint & Incident Handling Procedures ISO 27001 Certification Maintenance LD The System Auditor must strictly adhere to the audit schedule and any delay will enable the Bank to resort to any or all of the following at sole desecration of the bank. (a) Claiming Liquidated Damages (b) Termination of the agreement fully or partly Has CBI implemented ISMS already and certified for ISO 27001? Or Planning for the same. Please specify the maximum LD leviable Right of termination to be given only if the System Auditor commits a material breach and does not rectify the same within 30 days of receiving notice to this effect from the Central Bank. Further, in case of delay the Bank can impose the LD as agreed between the System Integrator and Central Bank. We would request that in case of

Yes Yes Yes In the process, Certification awaited. No Change No Change

In addition to the termination of the agreement, Central Bank Of India reserves the right to appropriate the damages from the earnest money deposit (EMD) given by the bidder or invoke the Bank Guarantee given in lieu of EMD and/or invoke the bank guarantee given by the bidder against the advance payment. The Bank also reserves the right to black list the bidder and inform the same to appropriate forums. The Bank also reserves right to charge penalties and to claim damages for improper or incomplete execution of the assignment In case of delay in provisioning the services beyound the specified schedule, CBS System Auditor shall be liable to pay the Bank as liquidated damages at the rate of 0.25% of total contract value for delay of every week or part thereof. The Bank shall recover the liquidate damages, if any, accruing to the Bank, as above, from any

delay Central bank should blacklist HCL and charges any penalty or damage other than LD.

The LD should be 0.25% of the Service charges of delayed Services and not the full contract value. Further, LD should be imposed only if the delay is due to reason solely attributable to HCL. Further, the Bank should recover the LD only under the Contract to be executed under this RFP and not from any other Contract

No Change

amount payable to the CBS System Auditor either as per the Contract, executed between the Bank and the CBS System Auditor pursuant hereto or under any other Agreement/Contract, the Bank may have executed/shall be executing with the CBS System Auditors. The CBS System Auditor shall, at their own expense, defend and indemnify the Bank against any claims due to loss of data / damage to data arising as a consequence of any negligence during CBS Application/Functionality Audit. Force Majeure
Successful bidder will be required to execute a Non Disclosure and Confidentiality Agreement and similar other documents as may be desired by the Bank

No Change

Indemnity right for loss of data/damage to data would not be appropriate and hence would request for removal of this clause

Taxes are Inclusive

To be negotiated at the time of finalisation of contract Successful Bidder shall execute Confidentiality Agreement and similar other documents on mutually acceptable terms and conditions Request for limitation of liability should be included and the limitation of liability for direct damages should be limited to a percentage [say 5%] of contract value. As the prices are quoted inclusive of taxes, we propose that the taxes should be as applicable as on the

No Change No Change

No Change

No Change

date of billing. i.e. In case of any changes/ increase in taxes or statutory duties or new taxes are introduced during the contract period the additional costs/ benefit should be on the customer.

Audit of Infrastructure , application of Risk Management at DC . Following system related with CBS are also to be audited
e-Voucher The following components needs to be audited : 1) The e-voucher application software is installed on gateway PC of the branch 2) The database also resides on gateway PC 3) ATM card authentication happens on e-voucher terminal from ATM switch through gateway PC. Hence the whole path needs to be audited. 4) Banks Lan Network is used Kiosk The following components needs to be audited : 1) The kiosk application software is installed on kiosk machine itself 2) The kiosk directly fires the request to CBS Server for which a specified port is opened. 3) The database is at CBS level. 4) Bank's LAN Network is used. Government Integration The following components needs to be audited : 1) Bank has integrated its CBS system with various state governments systems. 2) Dataflow (parameters) are passed directly between state government portal and Internet Banking Web services of the bank. e-payments The following components needs to be audited : 1) Bank is providing e-payments services to states. 2) The integration involves Bank's Intenet Banking system, State Government System and Aggregator system.

3) The parameter is passed between above three systems.

Details of the software will be given at the time of signing of contract. Please note that all other things remain unchanged.

S.K Mishra Asstt General Manager- IS Audit