request for proposal (rfp) professional services … rfp 647-25-09...csir rfp no. 647/25/09/2015...
TRANSCRIPT
CSIR RFP No. 647/25/09/2015 Page 1 of 24
Request for Proposal (RFP)
The provision or supply of professional services
related to CSIR Information Privacy and Information Security Management Upgrade
RFP No. 647/25/09/2015
Date of Issue Friday, 4 September 2015
Closing Date Friday, 25 September 2015
Compulsory briefing session Wednesday, 16 September 2015
Place Tender box, CSIR Main Reception, Gate 3 ( North Gate)
Enquiries Strategic Procurement Unit E-mail: [email protected]
CSIR business hours 08h00 – 16h30
Category Professional services
CSIR RFP No. 647/25/09/2015 Page 2 of 24
TABLE OF CONTENTS
SECTION A – TECHNICAL INFORMATION 3
1 INTRODUCTION 3
2 BACKGROUND 3
3 INVITATION FOR PROPOSAL 3
4 PROPOSAL SPECIFICATION 3
5 SERVICES REQUIRED 4
6 OUTPUT 8
7 ELIMINATION CRITERIA 9
8 FUNCTIONAL EVALUATION CRITERIA 9
SECTION B – TERMS AND CONDITIONS 13
9 PROPRIETARY INFORMATION 13
10 VENUE FOR PROPOSAL SUBMISSION 13
11 TENDER PROGRAMME 14
12 SUBMISSION OF PROPOSALS 14
13 DEADLINE FOR SUBMISSION 15
14 EVALUATION PROCESS 15
15 PRICING PROPOSAL 15
16 VALIDITY PERIOD OF PROPOSAL 16
17 APPOINTMENT OF SERVICE PROVIDER 16
18 ENQUIRIES AND CONTACT WITH THE CSIR 16
19 MEDIUM OF COMMUNICATION 17
20 COST OF PROPOSAL 17
21 CORRECTNESS OF RESPONSES 17
22 VERIFICATION OF DOCUMENTS 17
23 SUB-CONTRACTING 18
24 ENGAGEMENT OF CONSULTANTS 18
25 TRAVEL EXPENSES 18
26 CONFLICT OF INTEREST 19
27 ADDITIONAL TERMS AND CONDITIONS 19
28 CSIR RESERVES THE RIGHT TO 19
29 DISCLAIMER 20
DECLARATION BY TENDERER 21
30 ANNEXURE A – CV TEMPLATE 22
CSIR RFP No. 647/25/09/2015 Page 3 of 24
SECTION A – TECHNICAL INFORMATION 1 INTRODUCTION
The Council for Scientific and Industrial Research (CSIR) is one of the leading scientific
research and technology development organisations in Africa. In partnership with national
and international research and technology institutions, CSIR undertakes directed and
multidisciplinary research and technology innovation that contributes to the improvement of
the quality of life of South Africans. The CSIR’s main site is in Pretoria while it is represented
in other provinces of South Africa through regional offices.
The CSIR is committed to supporting innovation in South Africa to improve national
competitiveness in the global economy. Science and technology services and solutions are
provided in support of various stakeholders, and opportunities are identified where new
technologies can be further developed and exploited in the private and public sectors for
commercial and social benefit.
2 BACKGROUND
The CSIR has embarked on efforts to become compliant with the Protection of Personal
Information Act 4 of 2013 (POPI). In tandem with these efforts, the CSIR has initiated a
process to overhaul its existing information security management measures.
3 INVITATION FOR PROPOSAL
The POPI compliance and information security management efforts are being managed
under a single project. To this end, the CSIR requires suitably qualified, professional and
experienced service providers to provide it with the specific services related to both
information security and privacy.
4 PROPOSAL SPECIFICATION
This RFP consists of two sections:
SECTION A:
This section describes the detailed scope and requirements for the services being
elicited under this RFP.
This section consists of two parts, Part A and Part B. Part A deals with the
CSIR RFP No. 647/25/09/2015 Page 4 of 24
requirements pertaining to POPI, while Part B deals with the requirements relating to
Information Security Management. See point 5 below for specifications.
SECTION B:
This section covers the general terms and conditions applicable to RFP’s as laid
down by the CSIR. It also contains compulsory requirements for the format of
responses to this RFP.
All proposals are to be submitted in a format specified in this enquiry (if applicable).
However, tenderers are welcome to submit additional information over and above the
originally requested information.
Please see Section B, Sub-Section 12 below for more detail on format requirements.
5 SERVICES REQUIRED
The selected service provider will be required to:
a) In consultation with the CSIR: develop documents for use by the CSIR that align with
its business operations and organisational structure
b) Review documents drafted by the CSIR
c) Present and discuss the above-mentioned documents in meetings or stakeholder
workshops
The documents referred to are related to both information privacy and information security
management. Information privacy-related documents are described in Part A below and
information security-related documents are described in Part B.
Prior to the development of any documents, the selected service provider will be required to
meet with the CSIR to acquaint itself with the business of the CSIR, especially its
organisational structure and the nature of its operations.
The selected service provider must, prior to beginning any work, provide a single point of
contact with the CSIR with respect to the project. This individual must meet with the CSIR
POPI Task Team Leader once a week to discuss project progress, matters relevant to the
project’s time-frame, budget, deliverables, as well as any other relevant matters. Each
meeting may be telephonic or in person, whichever is deemed necessary by the POPI Task
Team Leader.
The service provider’s single point of contact may also be required to attend project steering
committee meetings on an as-needed basis. Such meetings are held every 2 months.
CSIR RFP No. 647/25/09/2015 Page 5 of 24
5.1 PART A – INFORMATION PRIVACY / POPI
The selected service provider will be responsible for drafting the documents as detailed in
the list below. The documents must be drafted in consultation with the CSIR. Unless stated
otherwise the scope of all documents applies to the CSIR in its entirety, i.e. all operating
units, support functions and sites in the regions.
All documents must at least be aligned to POPI, however, may in addition incorporate
privacy best practices or standards, such as GAPP. Therefore, in order to be selected,
service providers must demonstrate experience and skills in the field of compliance
with information privacy or data protection laws (see Sub-Section Error! Reference
source not found. of this Section).
It is a requirement that the documents drafted by the selected service provider align with the
CSIR’s business operations and organisational structure, as well as applicable regulatory
and legal requirements.
Document for Drafting Description
Information Privacy Policy An internally-facing policy binding on all CSIR staff and contractors. It articulates the CSIR’s requirements regarding the protection of personal information and any sanctions for the breach thereof.
Privacy Notice/s An externally facing document that describes how the CSIR inter alia, processes, protects, and provides access to the personal information of data subjects.
The notice must cover website users, prospective employees, research subjects and other potential data subjects. It must align with the Information Privacy Policy above.
Separate notices may be developed for different audiences if this is deemed more effective. If split into separate notices, a maximum of 3 notices will be required.
Privacy Impact Assessment Methodology
A methodology to be applied by the CSIR’s privacy function in order to determine the privacy risk related to a business activity (e.g. project, system, business process, service, product).
The methodology must consider all relevant factors, including, but not limited to, legal / regulatory requirements and the CSIR’s Information Privacy Policy. It must produce an output that guides the CSIR into classifying the risk according to a scale (e.g. high, medium, low).
Privacy Incident Management Process
A description of a process to be followed once a potential privacy incident has been detected or reported. It must include steps for evaluating and responding to such incidents. A comprehensive process that covers all aspects of incident response is expected.
The process itself must be described using BPMN or a similar notation agreed upon in advance with the CSIR. In addition to the BPMN diagram, the process, and all associated roles and responsibilities must be defined and described in the document.
Information Handling Guide/Standard
A guide (or standard mandated through policy) that describes best practices/rules for dealing with personal information on different forms of media or technology (e.g. on paper, removable media, server, desktop etc.).
For each form, media or technology, the document should describe
CSIR RFP No. 647/25/09/2015 Page 6 of 24
required practices for each stage in the information lifecycle.
In addition, the selected service provider will be responsible for reviewing the following
documents in order to ensure their adequacy and to point out any deficiencies. The review
should be based on best-practice, the experience and knowledge of the service provider, as
well as applicable regulatory and legal requirements.
Document for Review Description
Privacy Operating Model This describes the roles and responsibilities within the privacy function of the CSIR, as well as how the privacy function will relate to other functions and units within the CSIR.
Privacy Impact Assessment Process
This defines the process to be followed when a privacy impact assessment is either a) requested by an operating unit or support function, or b) requested by the privacy function on its own initiative. It also defines how the privacy impact assessment results are dealt with post-assessment.
This process is distinct from the methodology to be used in the assessment itself (see the table above).
Personal Information Access or Query Process
This describes the process by which the CSIR will handle requests by data subjects or others for access to personal information.
Contract Templates These documents contain standard wording for contracts commonly used within the CSIR (e.g. a contract for a student intern).
Only a review of the privacy related wording is required.
A maximum of 4 contract templates will be required for review.
Privacy Awareness Plan This plan documents the CSIR’s information privacy awareness activities for the year.
One Full-Day Workshop This will be to workshop the deliverables above with CSIR stakeholders and project team members. This may be split into shorter workshops instead of a single 8 hour workshop.
5.2 PART B – INFORMATION SECURITY MANAGEMENT
The CSIR is in the process of overhauling its information security management. In particular
it seeks to be aligned with the ISO 27000 series of standards in order to develop an
Information Security Management System (ISMS). Thus, in order to be selected, service
providers must demonstrate experience and skills related to the design and
implementation of ISMS’s as contemplated under the ISO 27000 series of standards in
their responses (see Sub-Section Error! Reference source not found. of this Section).
The selected service provider will be responsible for drafting the documents detailed in the
table below. The documents must be drafted in consultation with the CSIR. Unless stated
otherwise the scope of all documents applies to the CSIR in its entirety, i.e. all operating
units, support functions and sites in the regions. All documents produced must be
aligned to the ISO 27000 series of standards.
CSIR RFP No. 647/25/09/2015 Page 7 of 24
Policies and standards included in the table below must form part of a single, rationalised
policy framework for information security and privacy. That is, there must be:
A hierarchical structure in terms of policies and standards
Minimal or no repetition of policy rules across policies
Minimal or no overlap in policy subject matter in policies that are on the same level of
a hierarchical structure
Appropriate references to other policies or standards in the hierarchy
Consistency in terms of content, language and format
In addition, the links between information security and privacy policies, processes and other
documents must be made clear in any documents.
It is a requirement that the documents drafted by the selected service provider align with the
CSIR’s business operations and organisational structure. Furthermore, where such
documents already exist within the CSIR, the selected service provider is required to take
cognisance of these, and where necessary, incorporate relevant information into
replacement documents.
Document for Drafting Description
Information Security Operating Model
This describes the roles and responsibilities within the information security function of the CSIR, as well as how the information security function will relate to other functions and units within the CSIR.
Information Security Policy A policy that, at a high level, articulates the CSIR’s requirements regarding information security.
Information Classification Policy A child policy of the Information Security Policy. This policy provides rules on how to classify information and treat different classes of information.
Network Security Policy A child policy of the Information Security Policy. This policy defines rules for network security including both perimeter and internal controls.
Access Control Policy A child policy of the Information Security Policy. This policy defines rules for logical access to information resources.
Third Party Access Policy A child policy of the Information Security Policy. This policy provides rules for when and how third parties may access information resources. It may be made binding upon third parties through contracts.
Acceptable Use Policy A child policy of the Information Security Policy. This policy spells out the conditions or limits for acceptable use of information resources for staff and contractors.
Backup Policy A child policy of the Information Security Policy. This policy defines the rules for backup of information resources.
Social Media Policy This policy defines rules for the use of social media by employees and contractors.
BYOD Policy This policy regulates the use of personal devices connected to CSIR infrastructure or containing CSIR information.
CSIR RFP No. 647/25/09/2015 Page 8 of 24
Information Security Incident Management Process
A description of a process to be followed once an information security incident has been detected or reported. It must include how to evaluate and respond to such incidents. A comprehensive process that covers all aspects of incident response is expected.
The process itself must be described using BPMN or a similar notation agreed upon in advance with the CSIR. In addition to the BPMN diagram, the process, and all associated roles and responsibilities must be defined and described in the document.
It is expected that this process will link with the privacy incident management process, as well as the existing IT incident management process.
Business Continuity Policy This policy defines critical business functions within the CSIR and defines rules for ensuring that critical business functions continue to operate in the face of disasters.
Two Full-Day Workshops This will be to workshop the deliverables above with CSIR stakeholders and project team members. This may be split into shorter workshops instead of two 8 hour workshops.
In addition, the selected service provider will be responsible for reviewing the following
documents in order to ensure their adequacy and to point out any deficiencies. The review
should be based on best-practice, the experience and knowledge of the service provider, as
well as any relevant standards.
Document for Review Description
Vulnerability Management Strategy This document details the strategy for detecting and remediating technical vulnerabilities in information infrastructure.
Vulnerability Management Process This document details the process by which technical vulnerabilities in information infrastructure will be identified, classified and remediated / mitigated.
The selected service provider will be required to provide the results of any reviews as
contemplated in the table above using track changes on the source documents and/or by
providing recommended changes in separate documents.
6 OUTPUT
The selected service provider must:
Produce and review the documents detailed in Sub-Section 5 above to the CSIR’s
satisfaction
Produce and review the documents detailed in Sub-Section 5 above within a
maximum of 6 months and in line with project deadlines
Avail its staff for meetings and workshops as detailed in Sub-Section 5 above.
CSIR RFP No. 647/25/09/2015 Page 9 of 24
7 ELIMINATION CRITERIA
Proposals will be eliminated under the following conditions:
Submission after the deadline;
Proposals submitted at incorrect location;
Non-attendance of the compulsory briefing session;
Failure to submit CVs indicating the experience & qualifications of each member of the
engagement team;
Failure to indicate corporate experience performing similar work; and
Failure to submit references for similar work performed.
The following mandatory documentation will be required before any negotiations will start with the
potential winning bidder or before any contract / order will be awarded.:
Completed CSIR Supplier Registration Form (if not registered with CSIR),
alternatively, provide the CSIR Vendor number;
Original valid Tax Clearance Certificate or Letter of Good standing issued by SARS
(RSA suppliers only);
Original or certified copy of B-BBEE certificate – where B-BBEE credentials were used
as part of evaluation; (RSA suppliers only); ans
Proof of company registration. (CK2 form) (RSA suppliers only).
8 FUNCTIONAL EVALUATION CRITERIA
8.1 The evaluation of the functional / technical detail of the proposal will be based on the
following criteria:
Criteria Weight
Experience and Qualifications of Engagement Team 65%
Corporate Track Record Performing Similar Work 35%
Proposals with a functionality score of less than 70% overall and less than 50% within each
criteria will be eliminated from further evaluation.
CSIR RFP No. 647/25/09/2015 Page 10 of 24
Please note compulsory requirements within each criteria that are listed below – failure to
meet any compulsory requirements will result in a score of 0% for that criteria.
The tenderer shall prepare for a possible presentation should CSIR require such and the
tenderer shall be notified thereof no later than 4 (four) days before the actual presentation
date.
8.1.1 Experience and Qualifications of Engagement Team
It is a requirement of this RFP that the proposed engagement team is utilised for the work.
Where a member of the engagement team is unable to perform the work due to resignation,
illness or other unforeseen circumstance, the service provider is required to substitute that
individual with another individual that is equally experienced and qualified. The CSIR must
be notified of such substitution in advance and must approve it. Failure to comply with this
requirement may lead to the termination of any contract awarded under this RFP.
Requirements for the information privacy / POPI work as specified in Sub-Section 5.1 above :
Compulsory Requirement /
Advantage
Description
Score
Compulsory requirement Individual in engagement team has experience providing POPI consulting services or working with POPI
1.
50%
Advantage Individual in engagement team has experience working in the field of data protection / information privacy in a jurisdiction already governed by a comprehensive model
2 for data protection (e.g. the European
Union).
20%
Advantage Individual in engagement team is IAPP certified. Please provide proof of certification and indicate if certification is current or has lapsed. A current certification will be considered more of an advantage than one that has lapsed.
10%
Advantage Individual in engagement team has a post-graduate qualification in information privacy / data protection (note that this is qualification from a tertiary education institute, not a professional certification body).
5%
Advantage Individual in engagement team has experience developing the specific deliverables required in this RFP (See Sub-Section 5.1 above).
15%
1 This must apply to the majority of engagement team members who will work on POPI-related deliverables.
2 As defined by the International Association of Privacy Professionals
CSIR RFP No. 647/25/09/2015 Page 11 of 24
Requirements for information security management work as specified in Sub-Section 5.2
above:
Compulsory Requirement /
Advantage
Description
Score
Compulsory requirement
Individual in engagement team has experience in drafting information security policies for a large organisation (approx. 3000 or more staff)
3.
40%
Advantage Individual in engagement team has experience working with ISO 27000 series of standards.
10%
Advantage Individual in engagement team has experience working with ISMS implementations.
20%
Advantage Individual in engagement team is ISO 27001 certified, for example, ISO 27001 Lead Auditor or Lead Implementer.
15%
Advantage Individual in engagement team has experience developing the specific deliverables required in this RFP.
15%
Service providers are required to use the template in Annexure A for the curriculum vitae of
engagement team members.
8.1.2 Corporate Track Record Performing Similar Work
Requirements for the information privacy / POPI work as specified in Sub-Section 5.1 above:
Compulsory Requirement /
Advantage
Description
Score
Compulsory requirement
Corporate experience providing data protection / information privacy consulting services in South Africa.
30%
Advantage Corporate experience providing data protection / information privacy consulting services in a jurisdiction already governed by a comprehensive model
4 for data protection (e.g. the European Union).
30%
Advantage Corporate experience in providing clients with the specific deliverables required in this RFP.
40%
Requirements for information security management work as specified in Sub-Section 5.2
above:
Compulsory Requirement /
Advantage
Description
Score
Compulsory requirement
Corporate experience providing information security management consulting services using ISO 27000 series of standards.
30%
3 This must apply to at least half the engagement team members who will be tasked with drafting information security policies.
4 As defined by the International Association of Privacy Professionals
CSIR RFP No. 647/25/09/2015 Page 12 of 24
Compulsory requirement
Corporate experience in establishing an ISMS as contemplated in the ISO 27000 series of standards.
50%
Advantage Corporate experience in providing clients with the specific deliverables required in this RFP.
20%
Please note: The tables in 8.1.1 and 8.1.2 above do not contain an exhaustive list of factors
that the CSIR will use to evaluate experience and qualifications and service providers are
encouraged to include any additional information as they see fit. The CSIR reserves the right
to evaluate experience and qualifications in accordance with its needs and best interests.
8.2 Refer to Annexure A for CV template that must be used.
CSIR RFP No. 647/25/09/2015 Page 13 of 24
SECTION B – TERMS AND CONDITIONS 9 PROPRIETARY INFORMATION
The CSIR considers this Request for Proposal (RFP) and all related information, either
written or verbal, which is provided to the respondent, to be proprietary to the CSIR. It shall
be kept confidential by the respondent and its officers, employees, agents and
representatives. The respondent shall not disclose, publish, or advertise this specification or
related information in part or as a whole to any third party without the prior written consent of
the CSIR. This applies regardless of whether the recipient of this RFP responds with a
proposal or not. The CSIR reserves the right to require the return or destruction of all
documents supplied or produced during the proposal process, including extracts, summaries
and related notes.
Unauthorised disclosure of the RFP or its contents or failure to observe other specific
requirements contained herein may result in disqualification from further consideration in
addition to any other remedies the CSIR may have under law or equity.
The CSIR will maintain strict confidentiality in receipt of and possession of proposal
responses including clarifications and other submissions during the RFP process. All material
submitted in response to the RFP shall become the property of the CSIR and may only be
returned at the CSIR’s discretion. The CSIR has the right to use any or all of the information
presented in any reply to the RFP. Selection or rejection of any proposal does not affect this
right. The successful respondent(s) shall not use the contract or CSIR name for promotional
purposes, without seeking the prior approval from the CSIR.
The provisions of the above paragraph will also apply to any subcontractors and/or joint
venture partners that respondents may propose in proposals.
10 VENUE FOR PROPOSAL SUBMISSION
All proposals must be submitted at:
CSIR GATE 03 - Main Reception Area (in the Tender box) at the following address
Council for Scientific and Industrial Research (CSIR)
Meiring Naudé Road
Brummeria
Pretoria
CSIR RFP No. 647/25/09/2015 Page 14 of 24
11 TENDER PROGRAMME
The tender program, as currently envisaged, incorporates the following key dates:
Issue of tender documents: 4 September 2015
Tender briefing session: 16 September 2015
Place: CSIR Pretoria
Venue: Building 22, Central Station
Time: 14:00 – 15:00
Closing / submission Date: 25 September 2015
Target start date of the project: 1 November 2015
Target completion date of the project: 31 August 2016
12 SUBMISSION OF PROPOSALS
12.1 All proposals are to be sealed. No open proposals will be accepted.
12.2 All proposals are to be clearly marked with the RFP number and the name of the tenderer
on the outside of the main package. Proposals must consist of two parts, each of which is
placed in a separate sealed package clearly marked:
PART 1: Technical Proposal: RFP No.: 647/25/09/2015
PART 2: Pricing Proposal, B-BBEE and other Mandatory Documentation:
RFP No.: 647/25/09/2015
12.3 Respondents must structure PART 1 to include at least the following sections:
Corporate Information Privacy Experience
Corporate Information Security Management Experience
Engagement Team Qualifications and Experience
When populating the sections in the bullet list above, respondents must take note of
further requirements in Sub-Section Error! Reference source not found. above (e.g. the
CV template).
Respondents are encouraged to structure their responses to allow the CSIR to easily
reconcile the information in their responses with the requirements and advantages listed
in Sub-Section Error! Reference source not found. below.
12.4 Proposals submitted by companies must be signed by a person or persons duly authorised.
12.5 The CSIR will award the contract to qualified tenderer(s)’ whose proposal is determined to
be the most advantageous to the CSIR, taking into consideration the technical
(functionality) solution, price and B-BBEE.
CSIR RFP No. 647/25/09/2015 Page 15 of 24
13 DEADLINE FOR SUBMISSION
Proposals shall be submitted at the address mentioned above no later than the closing date
of Friday, 25 September 2015, during CSIR’s business hours. The CSIR business hours are
between 08h00 and 16h30.
Where a proposal is not received by the CSIR by the due date and stipulated place, it will be
regarded as a late tender. Late tenders will not be considered.
14 EVALUATION PROCESS 14.1 Evaluation of proposals
All proposals will be evaluated by an evaluation team for functionality, price and B-BBEE.
Based on the results of the evaluation process and upon successful negotiations, the CSIR
will approve the awarding of the contract to successful tenderers.
A two-phase evaluation process will be followed.
The first phase includes functionality, local production and content.
The second phase includes the evaluation of price and B-BBEE status.
Pricing Proposals will only be considered after functionality phase has been adjudicated
and accepted. Only proposals that achieved the specified minimum qualification scores
for functionality will be evaluated further using the preference points system.
14.2 Preference points system
The 90/10 preference point system will be used where 90 points will be dedicated to price
and 10 points to B-BBEE status. If all tenders received are less than R1m, the proposal
will be cancelled and re-issued.
15 PRICING PROPOSAL
15.1 Pricing proposal must be cross-referenced to the sections in the Technical Proposal. Any
options offered must be clearly labelled. Separate pricing must be provided for each option
offered to ensure that pricing comparisons are clear and unambiguous.
15.2 Price needs to be provided in South African Rand (excl. VAT), with details on price
elements that are subject to escalation and exchange rate fluctuations clearly indicated.
CSIR RFP No. 647/25/09/2015 Page 16 of 24
15.3 Price should include additional cost elements such as freight, insurance until acceptance,
duty where applicable.
15.4 Only firm prices* will be accepted during the tender validity period. Non–firm prices**
(including prices subject to rates of exchange variations) will not be considered.
*Firm price is the price that is only subject to adjustments in accordance with the actual
increase or decrease resulting from the change, imposition, or abolition of customs or
excise duty and any other duty, levy, or tax which, in terms of a law or regulation is binding
on the contractor and demonstrably has an influence on the price of any supplies, or the
rendering costs of any service, for the execution of the contract;
**Non-firm price is all prices other than “firm” prices.
15.5 Payment will be according to the CSIR Payment Terms and Conditions.
16 VALIDITY PERIOD OF PROPOSAL
Each proposal shall be valid for a minimum period of three (3) months calculated from the
closing date.
17 APPOINTMENT OF SERVICE PROVIDER
17.1 The contract will be awarded to the tenderer who scores the highest total number of points
during the evaluation process, except where the law permits otherwise.
17.2 Appointment as a successful service provider shall be subject to the parties agreeing to
mutually acceptable contractual terms and conditions. In the event of the parties failing to
reach such agreement CSIR reserves the right to appoint an alternative supplier.
18 ENQUIRIES AND CONTACT WITH THE CSIR
Any enquiry regarding this RFP shall be submitted in writing to CSIR at [email protected]
with “RFP No 647/25/09/2015 - The provision or supply of professional services related
to CSIR Information Privacy and Information Security Management Upgrade, as the
subject.
CSIR RFP No. 647/25/09/2015 Page 17 of 24
Any other contact with CSIR personnel involved in this tender is not permitted during the
RFP process other than as required through existing service arrangements or as requested
by the CSIR as part of the RFP process.
19 MEDIUM OF COMMUNICATION
All documentation submitted in response to this RFP must be in English.
20 COST OF PROPOSAL
Tenderers are expected to fully acquaint themselves with the conditions, requirements and
specifications of this RFP before submitting proposals. Each tenderer assumes all risks for
resource commitment and expenses, direct or indirect, of proposal preparation and
participation throughout the RFP process. The CSIR is not responsible directly or indirectly
for any costs incurred by tenderers.
21 CORRECTNESS OF RESPONSES
21.1 The tenderer must confirm satisfaction regarding the correctness and validity of their
proposal and that all prices and rates quoted cover all the work/items specified in the RFP.
The prices and rates quoted must cover all obligations under any resulting contract.
21.2 The tenderer accepts that any mistakes regarding prices and calculations will be at their
own risk.
22 VERIFICATION OF DOCUMENTS
22.1 Tenderers should check the numbers of the pages to satisfy themselves that none are
missing or duplicated. No liability will be accepted by the CSIR in regard to anything arising
from the fact that pages are missing or duplicated.
22.2 One hard copy and one electronic copy (CD or USB memory key and that has searchable
text) of each proposal must be submitted. In the event of a contradiction between the
submitted copies, the hard copy shall take precedence.
22.3 Pricing schedule and B-BBEE credentials should be submitted with the proposal, but as a
separate document and no such information should be available in the technical proposal.
22.4 If a courier service company is being used for delivery of the proposal document, the RFP
description must be endorsed on the delivery note/courier packaging to ensure that
documents are delivered to the tender box, by the stipulated due date.
CSIR RFP No. 647/25/09/2015 Page 18 of 24
23 SUB-CONTRACTING
23.1 A tenderer will not be awarded points for B-BBEE status level if it is indicated in the tender
documents that such a tenderer intends sub-contracting more than 25% of the value of the
contract to any other enterprise that does not qualify for at least the points that such a
tenderer qualifies for, unless the intended sub-contractor is an exempted micro enterprise
that has the capability and ability to execute the sub-contract.
23.2 A tenderer awarded a contract may not sub-contract more than 25% of the value of the
contract to any other enterprise that does not have an equal or higher B-BBEE status level
than the person concerned, unless the contract is sub-contracted to an exempted micro
enterprise that has the capability and ability to execute the sub-contract.
24 ENGAGEMENT OF CONSULTANTS
The CSIR will use the following as a guide for remuneration of consultants. Namely, rates
that are/have been:
24.1 Determined in the "Guideline for fees", issued by the South African Institute of Chartered
Accountants (SAICA); or
24.2 Set out in the "Guide on Hourly Fee Rates for Consultants", by the Department of Public
Service and Administration (DPSA); or
24.3 Prescribed by the body - regulating the profession of the consultant.
25 TRAVEL EXPENSES
25.1 All travel expenses for the CSIR’s account, be it directly via the CSIR’s travel agent or
indirectly via re-imbursements, must be in line with the CSIR’s travel policy. The following
will apply:
25.1.1 Only economy class tickets will be used.
25.1.2 A maxiumum of R1300 per night for accommodation, dinner, breakfast and parking will be
allowed.
25.1.3 No car rentals of more than a Group B will be accommodated.
CSIR RFP No. 647/25/09/2015 Page 19 of 24
26 CONFLICT OF INTEREST
26.1 The successful supplier shall not be allowed to provide any equipment to the CSIR where
the requirement or need for such equipment has arisen from documents, deliverables or
advice provided by the supplier in the fulfilment of this tender.
26.2 The successful supplier must not have any financial or operational ties to any potential
vendors for the aforementioned equipment.
26.3 The successful supplier shall not be allowed to provide audit or assurance services to the
CSIR where the scope of such services requires the supplier to audit or provide
assurance for work it has performed in the fulfilment of this tender.
27 ADDITIONAL TERMS AND CONDITIONS
27.1 A tenderer shall not assume that information and/or documents supplied to CSIR, at any
time prior to this request, are still available to CSIR, and shall consequently not make any
reference to such information document in its response to this request.
27.2 Copies of any affiliations, memberships and/or accreditations that support your submission
must be included in the tender.
27.3 In case of proposal from a joint venture, the following must be submitted together with the
proposal:
Joint venture Agreement including split of work signed by both parties;
The original or certified copy of the B-BBEE certificate of the joint venture;
The Tax Clearance Certificate of each joint venture member;
Proof of ownership/shareholder certificates/copies of Identity document; and
Company registration certificates.
27.4 An omission to disclose material information, a factual inaccuracy, and/or a
misrepresentation of fact may result in the disqualification of a tender, or cancellation of any
subsequent contract.
27.5 Failure to comply with any of the terms and conditions as set out in this document will
invalidate the Proposal.
28 CSIR RESERVES THE RIGHT TO
28.1 Extend the closing date; Verify any information contained in a proposal;
28.2 Request documentary proof regarding any tendering issue;
CSIR RFP No. 647/25/09/2015 Page 20 of 24
28.3 Give preference to locally manufactured goods;
28.4 Appoint one or more service providers, separately or jointly (whether or not they submitted
a joint proposal);
28.5 Award this RFP as a whole or in part;
28.6 Cancel or withdraw this RFP as a whole or in part.
29 DISCLAIMER
This RFP is a request for proposals only and not an offer document. Answers to this RFP
must not be construed as acceptance of an offer or imply the existence of a contract between
the parties. By submission of its proposal, tenderers shall be deemed to have satisfied
themselves with and to have accepted all Terms & Conditions of this RFP. The CSIR makes
no representation, warranty, assurance, guarantee or endorsements to tenderer concerning
the RFP, whether with regard to its accuracy, completeness or otherwise and the CSIR shall
have no liability towards the tenderer or any other party in connection therewith.
CSIR RFP No. 647/25/09/2015 Page 21 of 24
DECLARATION BY TENDERER
Only tenderers who completed the declaration below will be considered for evaluation.
RFP No: …………………………….. I hereby undertake to render services described in the attached tendering documents to CSIR in
accordance with the requirements and task directives / proposal specifications stipulated in RFP
No.………….……….. at the price/s quoted. My offer/s remains binding upon me and open for
acceptance by the CSIR during the validity period indicated and calculated from the closing date
of the proposal.
I confirm that I am satisfied with regards to the correctness and validity of my proposal; that the
price(s) and rate(s) quoted cover all the services specified in the proposal documents; that the
price(s) and rate(s) cover all my obligations and I accept that any mistakes regarding price(s) and
rate(s) and calculations will be at my own risk.
I accept full responsibility for the proper execution and fulfilment of all obligations and conditions
devolving on me under this proposal as the principal liable for the due fulfilment of this proposal.
I declare that I have no participation in any collusive practices with any tenderer or any other
person regarding this or any other proposal.
I accept that the CSIR may take appropriate actions, deemed necessary, should there be a
conflict of interest or if this declaration proves to be false.
I confirm that I am duly authorised to sign this proposal.
NAME (PRINT) …………………………. CAPACITY ……………………….
SIGNATURE ……………………………. NAME OF FIRM ………………………….….
DATE ……………………………….
WITNESSES 1 …….……………………………
2 ……….………………………… DATE: .…………………………..
CSIR RFP No. 647/25/09/2015 Page 22 of 24
30 ANNEXURE A – CV TEMPLATE
Please use the table on the following page as a template for the CV’s of the proposed
engagement team. This is to be included in the Section “Engagement Team Qualifications and
Experience” in PART 1 of the bid response.
Do not remove any categories / items (marked in bold).
Notes:
1. Please indicate if a qualification is an information privacy qualification if this is not explicit in the
title of the qualification.
2. In order to demonstrate experience, qualifications or other competitive advantage, please feel
free to add further categories by adding to the end of the table (e.g. Other Experience,
Publications, Eminence, etc.).
CSIR RFP No. 647/25/09/2015 Page 23 of 24
EXAMPLE
Name
Joe Soap
<Photograph – Optional>
Position
Associate Director
Qualifications & Institutes
BSc (Computer Science), ABC University
LLM (Human Rights Law), XYZ University (specialising in Data Protection)1
Certifications
CISSP, 2011, not current
CIPP/ IT, 2013, current
ISO 27001 Lead Implementer, 2010, current
Profile
Joe Soap started his career as an Information Security Officer at XYZ Bank in 1997. He left
the bank as its Chief Information Security Officer in 2005 and joined ACME Consulting as an
Associate Director specialising in Information Security Management.
Relevant Experience per Requirements:
Experience providing POPI consulting services or
working with POPI.
POPI Gap Analysis at ABC Corp
Privacy Officer at ACME Corp
Experience working in the field of data protection /
information privacy in a jurisdiction already
governed by a comprehensive model for data
protection.
Privacy Impact Assessment for ACME Corp, Germany
Privacy Policy Development at ABC Corp, England
Experience developing the specific deliverables
required in this RFP.
Privacy Policy Development at ABC Corp, England
Designed Privacy Impact Assessment Methodology at
XYZ Corp
Drafted Access Control Policy at ACME Corp
Reviewed ABC Corp Business Continuity Plan
Designed Security Operating Model for XYZ Corp
Experience in drafting information security policies
for a large organisation (approx. 3000 or more
staff).
Drafted Access Control Policy at ACME Corp
Experience working with ISO 27000 series of
standards.
Performed ISO 27001 audit at ACME Corp
Experience working with ISMS implementations. Assisted with implemented of ISMS at XYZ Company
<Other Categories as Desired>2