KARNATAKA STATE BEVERAGES CORPORATION LIMITED (A Govt. of Karnataka Enterprise) 78, Seethalakshmi Towers, Mission Road, Bangalore-560 027. Ph: 22483638/ 39 Fax: 22483645 KSBCL/SYS 2 – 020/2013-14
Date: 07/03/2014
REQUEST for PROPOSAL INFORMATION SECURITY MANAGEMENT SYSTEM IMPLEMENTATION 1. Background: The Karnataka State Beverages Corporation Ltd., (the Corporation) (a Government of Karnataka Undertaking) is a registered Private Limited Company under the Companies Act, 1956. The Corporation has the objective of Sourcing and Distribution of Indian made liquor, Foreign liquor, Beer and Spirits. The Corporation is fully dependent on the ICT for its operations. The Corporation has undergone an Accountant General Computerization Audit in 2010-11 and Information Systems (IS) Audit during the year 2012-13. The Corporation now intends to implement a robust Information Security Management System (ISMS) based on industry/ business standard framework/ guidelines. In this regard The Corporation invites Proposals from CERT-In Empanelled Information Security Auditing Organisations only having a valid certificate with a minimum of (3) three years experience and a proven track record in projects of similar nature, who wish to carry out the ISMS implementation at the Corporation. 2. Scope of Work: The scope work is to define, develop and implement a robust, comprehensive risk based Information Security Management System (ISMS) according to industry/ business standard framework/ guidelines to the Corporation. It shall include but not be limited to the following: Conduct Gap analysis by reviewing existing security Policies & Procedures (if any) and IT infrastructure vis-a-vis industry/business standard framework/ guidelines. IT risk assessment & validation of controls covering current state assessment, Business risk assessment, Device risk assessment, Network security assessment, Application Security assessment, Internal & External vulnerability assessment, Attack & penetration testing. Draft/ framing proper IT policies, procedures, guidelines, standard operating procedures (SOP) & review.
Page 1 of 7
Formulate Security Architecture, devise Business Continuity Plan (BCP) & Disaster Recovery Plan (DRP); fixing vulnerabilities, patching and hardening with proper review cycle. Conduct security training programs for top management & users at various levels. Also provide training material in the form of manuals & presentations. Provide hand holding support to KSBCL for ISMS implementation.
3. Eligibility Criteria and Technical Evaluation Criteria: The details of the eligibility criteria and Technical Evaluation Criteria are as in Annexure-A and Annexure –B respectively. 4. Duration: The duration of the ISMS implementation exercise is expected to be completed in around 12 (Twelve) weeks time. 5. Proposal submission: Award of the contract resulting from this RFP will be based upon the most responsive CERT-In Empanelled Information Security Auditing Organisations whose proposal will be the most advantageous to the Corporation in terms of cost, functionality, and other factors as specified elsewhere in this RFP. Proposal shall be submitted in sealed envelopes (Technical and Commercial) to The General Manager (MI), Karnataka State Beverages Corporation Ltd., No.78, Seethalakshmi Towers, Mission Road, Bangalore-560 027, so as to reach before 1700 hrs on 22nd Mar 2014 latest. The words Proposal for ‘Information Security Management System (ISMS)’ should be clearly superscripted on the envelope. 6. Closing date: Proposals received after the 1700 hrs on 22nd Mar 2014 will not be considered. 7. Acceptance or rejection of proposal: The Corporation reserves the right to accept or reject any or all the proposals and to annul the exercise and reject all proposals without any reasons and thereby without incurring any liability to any participant or any obligation to inform those who have expressed interest of the grounds of its action. 8. Cost of proposal: The cost of proposal and submission of proposal is entirely the responsibility of Information Security Auditing Organisations, regardless of the conduct or outcome of the process. 9. Language of proposal: All proposal and supporting documentation shall be submitted in English. Page 2 of 7
10. Proposal currency: All costs and charges related to the proposal shall be expressed in Indian Rupees only with clear mention of taxes. 11. Period of bid validity: The proposal shall be valid for a period of 90 days from the closing date for submission of the proposal. 12. Proposal submission: Information Security Auditing Organisation’s proposal in response to this RFP shall be submitted in two envelops. The submitted proposals are suggested to include each of the following sections and these will form part of the Work Order. I.
Technical envelope containing the following; a) Executive Summary b) Approach and Methodology c) Project Deliverables d) Project Management Approach e) Documents as in Annexure –A, indexed in the same way. f) Appendix: References g) Appendix: Project Team Staffing h) Appendix: Company Overview
II.
Commercial envelope containing the following; a) Detailed and Itemized Pricing b) Taxes and others.
13. Proposal Ownership: The proposal and all supporting documentation submitted by the Information Security Auditing Organisation in this RFP process shall become the property of the Corporation. 14. Modification and Withdrawal of Offers: Information Security Auditing Organisations are not allowed to modify their offer when once submitted. However, they are allowed to withdraw their offers anytime before the last date and time specified for receipt of offers. No offer can be withdrawn by these organisations after the closing date and time for submission of offers. 15. Opening of offers : Offers received within the prescribed closing date and time will be opened in the presence of only the Information Security Auditing Organisations who Page 3 of 7
have submitted their offer in response to this RFP on the date and time specified by the Corporation as mentioned in the schedule of events. 16. Evaluation and comparison of bids The Corporation reserves the right to modify or relax the eligibility criteria at any time, without assigning any reason, whatsoever. Only bids from Information Security Auditing Organisations meeting the eligibility criteria and submitting complete and responsive bids will proceed to the stage for being fully evaluated and compared. 17. Clarification of Offers : To assist in the scrutiny, evaluation and comparison of offers, the Corporation may, at its discretion, ask some or all Information Security Auditing Organisations for clarifications on the offer made by them. The request for such clarifications and the Information Security Auditing Organisations response will necessarily be through email to
[email protected] before 15-03-2014. 18. Responsibilities: This assignment is time bound. The Information Security Auditing Organisation shall maintain confidentiality of the information received, obtained or gathered by them during the process of conducting review or during interaction with the Corporation’s Personnel. The details of this assignment & any other information of KSBCL must be kept confidential & shall not be disclosed to any other third party. 19. Reporting: The Corporation should be updated on the progress made at regular intervals. 20. Indemnification: The Information Security Auditing Organisation shall, at their own expense, defend and indemnify the Corporation against any claims due to loss of data / damage to data arising as a result of any negligence during this assignment. 21. Force Majeure: The Information Security Auditing Organisation or the Corporation is not responsible for delays or non-performance of any contractual obligations, caused by war, blockage, revolutions, insurrection, civil commotion, riots, mobilizations, strikes, blockade, acts of God, plague or other epidemics, fire, flood, obstructions of navigation by ice of port of despatch, acts of Govt. or public enemy or any other event beyond the control of either party which directly, materially and adversely affect the performance of any contractual obligation.
Page 4 of 7
22. Terms of Payment: No advance payment request will be considered. Only 50 % payment will be made after initial audit and submission of gap analysis subject to satisfaction of the Corporation. Balance 50% on completion of implementation of ISMS subject to satisfaction of the Corporation. 23. Jurisdiction: Notwithstanding anything contained herein above, in case of any dispute, claim and legal action arising out of this assignment, the parties shall be subject to the jurisdiction of courts at Bangalore, India only. 24. Subcontracting: The Information Security Auditing Organisation shall not subcontract or permit anyone other than its personnel to perform any of the work, service or other performance required of the Information Security Auditing Organisation under the assignment without the prior written consent of the Corporation. 25. Substitution of Team Members: During the assignment, the substitution of resources identified for the assignment will not be allowed unless such substitution becomes unavoidable to overcome the undue delay or to meet service obligations, with prior written approval/consent of KSBCL. Any change of resource should be proposed well in advance. The resource proposed to be changed should have qualification & experience similar or better to the one proposed to be changed during the course of assignment. 26. Expenses: Expenses related to travelling, boarding and lodging expenses, if any, for assignment related work will be have to be borne by the Information Security Auditing Organisation. No Out of Pocket Expenses for carrying out the assignment will be paid by the Corporation.
Page 5 of 7
Annexure-A Eligibility Criteria Sl No Criteria 1. The Information Security Auditing Organisation must be a registered partnership firm or a limited company having its registered office in India. 2. The Information Security Auditing Organisation must be a profit-making organization for the last three (03) years. 3. The Information Security Auditing Organisation should have reported a segment turnover of at least Rs. 200 lakhs in the area relating to Information Security Management System implementation in the last financial year ended March 31, 2013. 4. Information Security Auditing Organisation should have an extensive experience in implementing Information Security Management System (ISMS) implementation in India at least for the last three (03) years
5.
6.
Supporting document Registered Partnership deed/Company Incorporation Certificate Furnish Balance sheet & Profit-Loss statements certified by CA. Furnish Balance sheet & Profit-Loss statements certified by CA.
Information Security Auditing Organisation must list all such security services assignments undertaken by them in the last three (03) years outlining the client name, brief project description, location, project duration & date of completion. The Information Security Auditing The Information Security Auditing Organisation should have never been Organisation should provide an blacklisted / barred / disqualified by any undertaking for same on its regulator / statutory body. Letterhead. The Information Security Auditing Information Security Auditing Organisation should be CERT-In empanelled. Organisation should submit a Certificate for being listed on CERTIn’s empanelled vendor list for the block period 2012-2015.
Page 6 of 7
Annexure-B Technical Evaluation Criteria (Minimum marks to be scored to be considered for Financial Evaluation = 75marks)
Sl No
Criteria
1
Number of ISMS implementation projects executed by the Information Security Auditing Organisation in India in the last three Financial years viz 201011,2011-12, 2012-13
2
3
4
5
Point System
3 points per successful implementation per year subject to a maximum of 5 successful implementations per year Prior Demonstrable 5 points per experience by the Information successful Security Auditing Organisation implementation in successful Implementation of ISMS in India for at least 3 Government organizations/ Public Sector clients in the last three Financial years – 201011,2011-12, 2012-13 Information Security Auditing 5 points for each Organisation must be have on personnel subject rolls, on permanent to a maximum of employment basis, personnel 25 points who hold professional certifications like CISA/ CISSP/ CISM/ CEH/ CHFI. Information Security Auditing 5 points Organisation must be have on rolls, on permanent employment basis one (1) ISO 27001 Lead Auditor. Information Security Auditing 5 points Organisation should have ISO 27001 Certification. Total
Page 7 of 7
Maximum Points
Documents to be submitted
45
Documentary evidence, along with Client contact details in the form of Work Order/Purchase Order & Completion certificate from the client. Documentary evidence, along with Client contact details in the form of Work Order/Purchase Order & Completion certificate from the client.
15
25
Certified Resumes of the Personnel.
5
Certified Resume of the Personnel.
5
Copy of the ISO 27001 certificate.
100
