request for proposal (rfp) - sud life dr isms.pdfrequest for proposal (rfp) appointment of...

Tender Ref No: SUD DR/ISMS 0001

Request for Proposal (RFP)

Appointment of Consultants For

Disaster Recovery Planning and Implementation of an Information Security Management System for Star Union Dai-ichi Life Insurance Co. Ltd.



Table of Contents 1. Invitation for tender offers ..................................................................................................... 3

2. About Star Union Dai-ichi Life Insurance ............................................................................ 4

3. RFP Objectives: ...................................................................................................................... 5

3.1. Project Objective ............................................................................................................... 5

3.1.1. Disaster Recovery Planning – Scope of Work .............................................................. 5

3.1.2. Information Security Management System - Scope of Work ........................................ 5

3.2. Details of task to be performed ......................................................................................... 8

3.2.1. Disaster Recovery Planning .......................................................................................... 8

3.2.2. ISMS Implementation .................................................................................................. 10

4. Instructions to Bidders ........................................................................................................ 12

4.1. Introduction ...................................................................................................................... 12

4.2. Information Provided ....................................................................................................... 12

4.3. Disclaimer ........................................................................................................................ 12

4.4. Submission of Bids .......................................................................................................... 13

4.5. Costs Borne by Respondents ......................................................................................... 13

4.6. No Legal Relationship ..................................................................................................... 14

4.7. RFP Validity Period ......................................................................................................... 14

4.8. Requests for Information ................................................................................................. 14

4.9. Eligibility Criteria .............................................................................................................. 14

5. Terms and Conditions of the Tender ................................................................................. 15

5.1. Substitution of Project Team Members ........................................................................... 15

5.2. Any selected bidders will not be allowed to bid for system integration and the implementation of Disaster recovery setup. ............................................................................... 15

5.3. Professionalism ............................................................................................................... 15

5.4. Expenses ......................................................................................................................... 15

5.5. TERMS OF PAYMENT ................................................................................................... 16

5.5.1. Disaster Recovery Planning ........................................................................................ 16

5.5.2. Information Security Management System ................................................................. 16

5.6. Subcontracting ................................................................................................................ 16

5.7. Consultant Selection/Evaluation Process ....................................................................... 17

5.8. Performance Security ...................................................................................................... 19


5.9. ANNEXURE A ................................................................................................................. 21

5.10. ANNEXURE B ............................................................................................................. 25

5.11. ANNEXURE C ............................................................................................................. 27

5.12. ANNEXURE D ............................................................................................................. 28

5.13. ANNEXURE E ............................................................................................................. 29

5.14. ANNEXURE F ............................................................................................................. 30

(Sample form} ............................................................................................................................ 30

PERFORMANCE SECURITY FORM ........................................................................................ 30

1. Invitation for tender offers Star Union Dai-Ichi (SUD) Life Insurance Co Ltd. invites sealed tender offers (technical offer and commercial offer) for selection of a consulting company to assist the company in formulation and implementation of a Disaster Recovery Plan and an Information Security Management System. The details of the tender schedule are given below: Tender Reference SUD DR/ISMS 0001 Last date of receipt of bidder any Quires

May 25th 2010 up to 1200 Hrs. @ Vashi BO./Via email

Pre bid meeting May 27th 2010 at 1500 Hrs. @ Vashi BO. Last Date and Time for receipts of tender offers

June 15, 2010 up to 1500 Hrs.

Opening of technical offers June 17, 2010 at 1600 Hrs. Address of Communication Star Union Dai-Ichi Life Insurance Company

Limited, 11th Floor, Raghuleela Arcade, IT Park, Sector 30A, Opp. Vashi Rly. Station, Vashi Navi-Mumbai – 400 703

Email address [email protected] [email protected]

Contact Telephone/Fax Numbers Phone: +91-22-39546231 Fax: +91-22-39546292

Bids to be submitted to At above address

mailto:[email protected]�

mailto:[email protected]�


2. About Star Union Dai-ichi Life Insurance

Bank of India and Union Bank of India, two leading Public Sector Banks in India and the Dai-ichi Mutual Life Insurance Company, leading Japanese Company in the Life Insurance market, have floated a Joint Venture Company, "Star Union Dai-ichi Life Insurance Co. Ltd." for undertaking Life Insurance Business in India. Bank of India and Union Bank have a strong nationwide network of more than 6500 offices, which shall provide distribution outlets with a wide reach. More than 48 million strong banking customer bases of the two banks provides ready scope for cross selling of insurance products. The two banks have strong brand equity, and command high level of trust among their customers and people at large. The Regional Rural Banks sponsored by the two banks provide more than 1400 branches to tap the life-insurance business in the rural areas. Star Union Dai-ichi Life Insurance Company Ltd. is also committed to providing insurance to rural and weaker / social sectors. Both the domestic partners are in the process of implementing Govt. of India’s initiative of Financial Inclusion and their pan India network of branches gives the Company a natural edge in catering to these sectors effectively. The Company has already setup a state-of-the-art data centre with the latest technology infrastructure to support its insurance business. Life Asia is one of the core business solutions. SUD technology team is responsible for delivery of business solutions and management of core IT infrastructure. Datacenter is centrally managed and applications are accessed from SUD offices at various locations through MPLS network.


3. RFP Objectives:

3.1. Project Objective

3.1.1. Disaster Recovery Planning – Scope of Work SUD Life Insurance proposes to engage the services of a Consultant to assist in formulation of a disaster recovery plan and project management of the implementation and testing of the plan. The objective of this request for proposal is to provide the company with qualified proponents capable of carrying out the work herein defined. SUD is planning to establish a Disaster Recovery setup to provide backup for critical IT services in event of disaster. The approach followed for establishment of the plan should be aligned to BS 25999 standards. The key activities to be performed as part of this engagement are as follows:

1. Perform detailed risk and business impact analysis of current business processes and underlying systems to identify and clarify the business availability requirements

2. Identify critical resource recovery requirements and establish the recovery strategies

3. Develop a detailed Disaster Recovery Policy & Plan with clearly identified strategies for various disaster scenarios. Develop details DR manuals.

4. Develop detail implementation Architecture.

5. Develop the Bill of Material for the resource requirements for setting up of the DR site

6. Formulate a request for proposal for selection of the implementation partner for the DR setup

7. Assist in vendor selection through evaluation of the responses received from the vendors/ meetings and site visits

8. Assist in negotiation on terms and conditions with the selected vendor

9. Perform program management for setup of DR site including identifying DR site location, performing physical and environmental control review, designing the infrastructure deployment strategy and monitor the progress of DR setup activities

10. Create a Computer Based Training for Awareness on importance of Business Continuity

11. Facilitate DR testing to verify operational effectiveness of DR site & monitor the conduct of DR drills

Refer to section 3 for details on the expected activities to be performed by the consultant.

3.1.2. Information Security Management System - Scope of Work

SUD desires to implement Information Security management system & get ISO 27001 Certification for:

SUD’s primary datacenter at Airoli, Navi Mumbai.

SUD’s IT Department at back office Vashi Navi Mumbai

SUD’s HR Department at back office Vashi Navi Mumbai

SUD’s Investment Department at back office Vashi Navi Mumbai


SUD’s Operation Department at back office Vashi Navi Mumbai

SUD’s Finance Department at back office Vashi Navi Mumbai

The key activities to be performed as part of the engagement are as follows:

1. Develop the ISMS Scope Document

2. Carry out the asset classification exercise for the concerned department assets (IT, HR, Investment, Operation and Finance). The objective of asset classification is to maintain appropriate protection of corporate assets and to ensure that information assets receive an appropriate level of protection. Identify and list Important Information assets supporting the critical information and formulate an Asset Inventory Framework.

3. Conduct a gap analysis vis-à-vis ISO 27001 standard and IRDA Information Security Guidelines

4. Conduct a Risk Assessment covering the following:

a. Study & Documentation of IT Infrastructure assets including Computing Applications, Enterprise Wide Networking, Connectivity & Security Set Up

b. Study & Documentation of existing enterprise wide network (LAN, WAN, connectivity) layout, its design & functioning.

c. Review & Documentation of existing Security Controls across the Enterprise. d. Review of the Network Architecture from a security, redundancy, and failure and

availability perspective. e. Perform a Vulnerability Assessment & Penetration Testing (External & Internal)

on servers and networking devices f. Information Security Risk Assessment g. Physical Controls Assessment h. HR Controls Assessment i. Provide recommendation for closer of gaps

5. Formulation of a detailed Risk Mitigation Plan for the control weaknesses observed vis-a-vis technology setup, network architecture and information security and other controls.

6. Formulation of the ISMS Framework covering the ISMS Manuals, Policies, Procedures and Detailed Audit Guidelines for Network Devices & Server Infrastructure.

7. Developing a Computer Based Training for Information Security Awareness

8. Conducting 5 Train the Trainer Sessions on Information Security & Internal Audit each for set of SUD employees.

9. Performing a pre-certification audit

10. Provide assistance in closure of gaps

11. Facilitate the certification audit

12. Conduct SLA Audit of existing engagement with vendors and service providers.

Details on processes identified for certification, location and the approximate number of personnel under that scope of ISMS are enclosed under Annexure E.

Refer to section 3.2 for details on the expected activities to be performed by the consultants.


3.2. Details of task to be performed Following are the broad overview of the activities to be performed by the consultant:

3.2.1. Disaster Recovery Planning

# Activity Expected Deliverables Phase 1- Risk Assessment and Impact Analysis 1.1 Understanding of SUD’s business processes and

detailed analysis of critical business processes and underlying systems

- Threat and vulnerability assessment report - Business Impact Analysis Document 1.2 Perform detailed Threat and Vulnerability

assessment 1.3 Identify critical business processes and perform

impact analysis - identify critical functions and processes - analyze the impacts of an interruption to these functions and processes - determine the availability requirement for each - identify the components (dependencies) that support the critical areas analyzed in terms of information & communications services The analysis should identify business qualitative risks and quantify financial, operational and indirect impacts if the business is interrupted for any reason.

Phase 2 - Recovery resource requirement and Recovery strategy 2.1 Identify and finalization of Recovery Time

Objective and Recovery Point Objective for critical processes/systems

- Recovery resource requirement document - Recovery strategy for IT DR document should at least contain: a) survey and interview analysis b) prioritized list of critical business process priorities and availability requirements c) prioritized list of critical end-user IT service (application) priorities and availability requirements d) identification of Recovery Timing Objectives (RTO) and Recovery Point Objectives (RPO) e) Agreed tolerance levels for disruption of business processes f) identify business process changes which would facilitate improved recovery times g) mitigation strategies h) a framework for the evaluation of future services and determining availability requirements - Order-of-magnitude cost estimates for each alternative, and identification of the “best fit” for the

2.2 Review the existing data replication, backup and storage methodology adopted or planned for the aforesaid systems

2.3 Identify recovery resource requirements 2.4 Identify multiple recovery strategies for ensuring

availability of core IT infrastructure services. Consultants should develop several alternatives to address specific staff, recovery locations, business and technical interfaces, computing equipment, network connectivity and costs.

2.5 Assist SUD's management in selection of right recovery strategy by evaluating best suited data replication, backup and storage management methodology for the systems. The suggested measures should extend to recovery of applications and supporting IT infrastructure viz. servers, network and security.


SUD Phase 3 - Development of Disaster Recovery Plan 3.1 Define the systems (application and IT

infrastructure) for setup of the IT disaster recovery plan Define the recovery timelines for each of the systems supporting business (based on the assessment of impact from the loss of critical systems)

-DR Policy Document - DR plan document - DR recovery procedures - DR setup roadmap

3.2 Define IT Disaster recovery team structure 3.3 Development of Disaster Recovery Policy and

Plan 3.4 Assist SUD teams in development of recovery

procedures, guidelines and checklists 3.5 Presentation to senior management, on findings,

conclusions, recommendations and approach to setup a DR site

Phase 4 - DR site deployment, testing and maintenance 4.1 Assist SUD in selection of DR site based on the

DR strategy - DR implementation plan - Bill of Materials along with high level implementation plan - RFP for selection of implementation partner - Vendor Evaluation Criteria - DR site selection analysis document - PMO activities & Project progress status - DRP training presentation - DR testing plan, drill results and improvement plan - CBT on Business Continuity

4.2 A high-level implementation plan and Bill of Materials should be developed based on the resource requirements and presentation of the same to the Management

4.3 Assist SUD in developing a request for proposal for selection of the technology implementation partner for the DR setup

4,4 Assist SUD in designing the evaluation criteria 4.5 Assist SUD for evaluation of RFPs through

submitted proposals and site setup

4.6 Review of DR site location and facilities. Perform detailed physical and environmental control review.

4.7 Participate in negotiations on terms and conditions of various vendors

4.8 Establish a Project Management Office. The PMO will have the following roles and responsibilities: 1) Monitor the progress and implementation of the DR setup. 2) Make suggestions for quality assurance and adherence to design of the DR setup. 3) Timely escalation of issues to SUD management and participating in issue resolution and escalation. 4) Reporting the progress of implementation to concerned stakeholders. 5) Coordinate with respective departments to enhance and speed up the project implementation. 6) Conduct periodic reviews of the activities carried out by the implementation partner from a


completeness, adequacy and security standpoint. 4.7 Conduct computer based training and awareness

session 4.8 Assist SUD in monitoring the testing of DR site's

operational capabilities

3.2.2. ISMS Implementation

# Activity Expected Deliverables Phase 1- Current State Assessment 1.1 Selection of Information Security Committee and

ISMS rollout team - Gap Analysis Report - ISMS Scope documentation

1.2 Understanding of SUD's business processes and their dependency on IT infrastructure. Develop ISMS scope

1.3 Perform detailed Gap analysis vis-à-vis ISO 27001 control framework

1.4 Perform detail review of current IT outsourced services & IT SLA’s w.r.t. IT security, program management, Quality of implementation.

1.5 Review of documentary adequacies 1.6 Review of implementation adequacies Phase 2 - Risk Assessment and ISMS documentation 2.1 Conduct training for all the process owners on

Information Asset Profiling - Training material - Information asset registers - Risk Assessment Methodology and Risk Matrix - Network Architecture Review Report - Vulnerability Assessment reports - Penetration Testing reports - Security Architecture review report - Risk Treatment Plan - Statement of Applicability document for selection of ISO27001 controls - ISMS documents and Business continuity framework - ISMS procedures, guidelines and checklists

2.2 Information Assets identification and classification

2.3 Perform detailed risk assessment for critical information assets supporting SUD's business processes Develop criteria for accepting risks and identify the acceptable levels of risk

2.4 Perform Technology Risk Assessment of critical IT infrastructure including: Network Architecture Review- Checking device and service level redundancy and Load Balancing at each tier Review of network security architecture and security policy Review the appropriate segregation of network into various trusted zones Review the traffic flow and patterns in the network Ease of server provisioning Review of data storage and backup solutions Assess adequacy of backup testing and restoration Vulnerability Assessment -


Security vulnerabilities assessment of the Local Area network and WAN Vulnerability assessment of SUD's critical servers Review of critical servers and database configuration Penetration testing (Internal and External)- Review of existing configuration and parameters of various network components such as Routers, Switches, Firewalls, IDS etc. Internal Penetration testing for critical applications Perform penetration testing for external facing IP addresses no

2.5 Review of data center security controls at datacenter

2.6 Review of current security practices of the organization viz. a. Personnel security practices b. Physical security practices c. Logical security practices d. Network security practices e. Operations security practices f. System development security practices g. Business continuity practices h .Legal contracts

2.7 Develop criteria for accepting risks and identify the acceptable levels of risk and develop a risk detailed risk mitigation plan.

2.8 Designing and development of ISMS documents including - a. Information security policies b. ISMS procedures, standards and guidelines c. ISMS organization structure

2.9 Development of BCP framework Phase 3 - Implementation of ISMS 3.1 Conduct training and awareness sessions on

ISMS awareness and implementation for SUD staff

- Information Security Training and Awareness - ISMS Implementation Plan - Implementation progress updates 3.2 Prepare detailed ISMS implementation charter

3.3 Monitor Rollout of non-technical controls viz. a. Policies and procedures b. Administrative controls c. Physical controls d. Personnel controls e. Operational controls f. Compliance controls

3.4 Monitor Implementation of technical controls viz. a. Access controls b. Communication and Network controls c. Cryptographic controls d. System development and maintenance controls

Phase 4 - Internal audit and Certification


4.1 Perform detailed internal audit to identify non-conformities Take corrective and preventive actions, based on the results of the internal ISMS audit and management review or other relevant information to achieve continual improvement of the ISMS

- Internal audit report - Preventive and corrective action reports - Control improvement plan - Minutes of Security Committee review meetings

4.2 Perform pre-assessment prior to final certification 4.3 Assist SUD in surveillance audits

4. Instructions to Bidders

4.1. Introduction This Request for Proposal document (“RFP”) has been prepared solely to enable Star Union Dai-Ichi Life Insurance Co Ltd (“SUD”, “the company”) evaluate consultants for development of IT disaster recovery plan document for the critical systems, operations & implementation of ISMS The RFP document is not a recommendation, offer or invitation to enter into a contract, agreement or other arrangement in respect of the services.

4.2. Information Provided The RFP document contains statements derived from information that is believed to be reliable at the date obtained but does not purport to provide all of the information that may be necessary or desirable to enable an intending contracting party to determine whether or not to enter into a contract or arrangement with the company in relation to the provision of services. Neither the company nor any of its employees, agents, contractors, or advisers gives any representation or warranty, express or implied as to the accuracy or completeness of any information or statement given or made in this RFP document. Neither the company nor any of its employees, agents, contractors, or advisers has carried out or will carry out an independent audit or verification or due diligence exercise in relation to the contents of any part of the RFP document.

4.3. Disclaimer Subject to any law to the contrary, and to the maximum extent permitted by law, SUD and its officers, employees, contractors, agents, and advisors from any loss or damage (whether foreseeable or not) suffered by any person acting on or refraining from acting because of any information, including forecasts, statements, estimates, or projections contained in this RFP document or conduct ancillary to it whether or not the loss or damage arises in connection with any negligence, omission, default, lack of care or misrepresentation on the part of the company or any of its officers, employees, contractors, agents, or advisers.


4.4. Submission of Bids The bids shall be in two parts viz. Technical Proposal and Commercial Proposal. Both Technical and Commercial Proposals shall be submitted in separate sealed envelopes super scribing “TECHNICAL PROPOSAL FOR APPOINTMENT OF CONSULTANTS FOR DISASTER RECOVERY PLANNING AND DEVELOPMENT OF INFORMATION SECURITY MANAGEMENT SYSTEM: TENDER REF. SUD DR/ ISMS 001” on top of the envelope containing the technical bid and “COMMERCIAL PROPOSAL FOR APPOINTMENT OF CONSULTANTS FOR DISASTER RECOVERY PLANNING AND DEVELOPMENT OF INFORMATION SECURITY MANAGEMENT SYSTEM: TENDER REF. SUD DR/ ISMS 001” on top of the envelope containing commercial bid. These two separate sealed envelopes should be put together in the sealed master envelope super scribing “PROPOSAL FOR APPOINTMENT OF CONSULTANTS FOR DISASTER RECOVERY PLANNING AND DEVELOPMENT OF INFORMATION SECURITY MANAGEMENT SYSTEM: TENDER REF. SUD DR/ ISMS 001” The Technical Proposal will be evaluated first for technical suitability. Commercial Proposal shall be opened only for the short-listed bidders who have qualified in the Technical Proposal evaluation. The Commercial Proposal shall be submitted as per Annexure B. The technical proposal shall be organized and submitted as per the following sequence:

Technical proposal with detailed approach and deliverables All copies of certificates, credentials etc. Annexure A Masked Annexure B Annexure C Annexure D

The Bids shall be addressed and submitted to: The CEO Star Union Dai-Ichi Life Insurance Company Limited, 11th

4.5. Costs Borne by Respondents

Floor, Raghuleela Arcade, IT Park, Sector 30A, Opp. Vashi Railway Station, Vashi Navi-Mumbai – 400 703 The bids (arranged as mentioned above) are to be submitted at above address, marked with the tender number, before the due date & time as specified. The bid submitted anywhere else is liable to be rejected. The proposal should be prepared in English. The e-mail address and phone/fax numbers of the bidder should also be indicated on the sealed cover.

All costs and expenses incurred by Recipients / Respondents in any way associated with the development, preparation, and submission of responses, including but not limited to attendance


at meetings, discussions, demonstrations, etc. and providing any additional information required by the company, will be borne entirely and exclusively by the Recipient / Respondent.

4.6. No Legal Relationship No binding legal relationship will exist between any of the Recipients / Respondents and the company until execution of a contractual agreement.

4.7. RFP Validity Period RFP will remain valid and open for evaluation according to their terms for a period of 90 days from the time the RFP submission process closes on the deadline for lodgment of RFP.

4.8. Requests for Information Recipients are required to direct all communications related to this RFP, including notification of late RFP submission, through the Nominated Point of Contact person i.e. The AVP IT infrastructure (Head IT infra) All questions relating to the RFP, technical or otherwise, must be in writing only to the Nominated Point of Contact. Respondents should provide details of their email address as responses to queries will only be provided to the Respondent via email.

4.9. Eligibility Criteria The Consultant is required to meet the following eligibility criteria and provide adequate documentary evidence for each of the criteria stipulated below: Sr. No.

Criteria Supporting document

1. Should be a Government Organization/PSU/PSE/ partnership firm or a limited Company registered under Indian Laws.

Company incorporation certification

2. Should be in existence in India for five years as on 31.03.2010. (In case of mergers/ acquisitions/ restructuring or name change, the date of establishment of earlier/ original Partnership Firm/Limited Company can be taken into account).

Company incorporation certification

3. Should have a minimum turnover of at least INR 200 crores in the past two years in India

Company’s Balance-sheet and Profit-Loss statements

4. Should have made profits for the past 3 years in succession in India

Company’s Balance-sheet and Profit-Loss statements

5. The company should have never been blacklisted / barred / disqualified by any regulator / statutory body.

The company should provide an undertaking for same

6. Should have undertaken a similar work of providing advisory services in IT Disaster Recovery Planning

Provide client certificate or the contract with client indicating


and BS 7799/ ISO 27001 in at least 5 organizations in BFSI sector..

the scope of project as desired

7. The company should be independent of technology or facilities providers, who can provide truly independent advice.

Provide details around organizational structure and Line of Businesses

8. The company should be CERT-In empanelled Company should be listed on CERT-In’s empanelled vendor list

9. The company should have internally designed tools and methodologies for IT disaster recovery and ISO 27001 advisory to ensure high quality and consistent project delivery. Internally developed tools should have been exercised on the relevant engagements.

Details around tools, methodologies and sample template used for delivering the project

10. All the activities during the engagement should be performed by company directly and not outsourced

Proposal confirming the mentioned requirement

5. Terms and Conditions of the Tender

5.1. Substitution of Project Team Members During the assignment, the substitution of key staff identified for the assignment will not be allowed unless such substitution becomes unavoidable to overcome the undue delay or that such changes are critical to meet the obligation. In such circumstances, the bidder can do so only with the concurrence of the company by providing other staff of same level of qualifications and expertise. However, the company reserves the right to insist the bidder to replace any team member with another (with the qualifications and expertise as required by the company) during the course of assignment.

5.2. Any selected bidders will not be allowed to bid for system integration and the implementation of Disaster recovery setup.

5.3. Professionalism The consultant should provide professional, objective and impartial advice at all times and hold the SUD’s interests paramount and should observe the highest standard of ethics while executing the assignment.

5.4. Expenses Expenses related to traveling, boarding and lodging expenses, if any, for site visit outside Mumbai for project related work will be borne by the company and will be at rates mutually agreed and reimbursable against production of tickets and bills. Mumbai will be considered as the base station for the purpose of traveling.


The bidder is expected to quote for the prices of the services with the applicable taxes as on the date of bid submission. Bidder is also expected to quote the Out of Pocket Expenses for carrying out the assignment in Mumbai, as a part of the overall fees.

5.5. TERMS OF PAYMENT The consultant’s fees will be paid in the following manner for each item/activity which is described in the Commercial Proposal (Annexure B)

5.5.1. Disaster Recovery Planning Sr. No

Project Milestone Payment Terms

1. On commencement of assignment 10% 2. On completion of Phase 1- Risk Assessment and

Impact Analysis

20%

3. On completion of Phase 2 - Recovery resource requirement and Recovery strategy

30%

4. On completion of Phase 3 - Development of Disaster Recovery Plan

30%

5. On completion of Phase 4 - DR site deployment, testing and maintenance

10%

5.5.2. Information Security Management System Sr. No

Project Milestone Payment Terms

1. On commencement of assignment 10% 2. On completion of Phase 1- Current State

Assessment

20%

3. On completion of Phase 2 - Risk Assessment and ISMS documentation

30%

4. On completion of Phase 3 - Implementation of ISMS

30%

5. On completion of Phase 4 - Internal audit and Certification

10%

5.6. Subcontracting The bidder shall not subcontract or permit anyone other than its personnel to perform any of the work, service or other performance required of the bidder under the contract without the prior written consent of the company.


5.7. Consultant Selection/Evaluation Process The scoring of vendors will be based on technical and commercial scores. The technical and commercial scores will be arrived at as follows.

Sr.

Technical Scoring The technical scoring, among other things, will be based on the following:

Criteria for evaluation / scoring Documentary Evidence

Percentage of Scoring

1 Methodology/Approach proposed for accomplishing the proposed project and sample deliverables for Disaster Recovery Planning & ISMS implementation. The consultant should have an automated tool to assess current level of preparedness of SUD Life vis-à-vis leading practices suggested in BS 25999. The consultant should have an automated tool to conduct ISO 27001 Risk Assessments. The consultant should have a tool for Program Management.

Technical Proposal containing the methodology and approach/bidder presentation Demo of the Tool during the Proposal Presentation Demo of the Tool during the Proposal Presentation Demo of the Tool during the Proposal Presentation

15 7 8 5

2 Consultant’s prior experience in conducting similar engagements: Prior Demonstrable experience in advising clients in India on ISO 27001 advisory to at least 10 organizations in India in the last 5 years. Out of this experience at least 3 clients should be in government organizations/ public sector clients. Prior Demonstrable experience in advising and assisting in BS 25999/DR Certification for at least one organization based in India at a minimum of 5 locations. Prior Demonstrable experience in advising and assisting at least 5 companies in the Insurance Sector on Disaster Recovery.

Letters of engagement/ Client References/ Client Letters for relevant experience.

5 5 5


Prior Demonstrable experience of providing DR consulting services to at least one life insurance company in the last 18 months. Prior Demonstrable experience in actual hands-on implementation and program management of technology components in at least 5 Life Insurance Companies in India.

5 5

3 The consultant should have an ISO 27001 Certification.

Copy of the ISO 27001 Certificate

10

4 Consultant’s proposed project teams experience in Disaster Recovery & ISMS Implementation: The consultant should provide an experienced team for ISO 27001 & DRP with consultants having experience of having worked on ISO 27001 & DR engagements. The proposed team should have personnel who have experience in actual hands-on implementation and program management of technology components in at least 5 Life Insurance companies in India. The proposed tam should have at least one team member who has worked in a life insurance company in India for at least 2years. The consultant should have at least 2 MBCI (Member of Business continuity Institute) professionals on its payroll in India. The consultant should have at least 2ISO 27001 Lead Auditors on its payroll in India.

CVs of the proposed team and the team certificates as references

5 8 7 5 5

Various stages of technical evaluation are presented below:

1. Matching the clear eligibility criteria as indicated above (Eligibility Criteria) 2. Short-listing of the bidders based on the fully matched criteria 3. Paper evaluation based on response 4. Arriving at the final score on technical proposal 5. Presentation by the bidding consultants 6. Reference check with the referred customers

At the sole discretion and determination of the company, the company may add any other relevant criteria for evaluating the proposals received in response to this RFP. The short-listed consultants will be invited for making a presentation to the SUD team covering following.


Sr Agenda Allocated time

(minutes) 1 Company background (size, turnover, services) 5 2 Proposed Approach / Methodology for DRP & ISMS 30 3 Proposed project team structure and profiles of proposed team 5 4 Case studies on DRP and ISMS 20 5 Questions & Answers 10 The Project Leader and Project Manager proposed by the consultant should be present in the presentation. The technical qualification cut – off for opening of the commercial bid opening would be 75% (75 marks out of 100). Bidders scoring below the same would not be considered for commercial bid opening. In the event only one bidder qualifies, SUD will have the right to place the order with the single qualified bidder. In the event no bidder technically qualifies (i.e. all are below 75%) then SUD may choose to select the bidder with the highest score. In the event that more than one bidder qualifies the cut-off of 75%, the techno-commercial scoring is arrived as below. Techno-commercial scoring

The commercial bid of the technically short listed bidders will be opened and the bidders will be ranked as L1, L2, L3, etc on the basis of their fees / price (in the ascending order, i.e. L1 being the Vendor with the lowest fees / price, followed by L2 with the next lowest fees / price and so on). There would be a weight-age of 70% to the Technical score and 30% for the Commercial price. The maximum marks (Total score) for Technical and Commercial proposals would be 100. It would be normalized as under for each bidder:- Total Score = 0.7 x T (s) + 0.3 x F(s) Where; F(s) = (LP / BP) x 100

• T(s) stands for technical score out of 100 for the bidder

Acronyms:

• F(s) stands for percentage of a bidder’s commercial price compared to the lowest quoted price among the bidders whose commercial bids are opened

• BP stands for Bidder’s price • LP stands for Lowest price among all the bidders The proposals will be ranked in terms of Total Scores arrived at as above. The proposal with the highest Total Score will be considered first for award of contract and will be invited for price and contract negotiation.

5.8. Performance Security 1. The Prime Vendor shall provide a Performance Security for an amount of 20 % of the


contract value, by way of a Guarantee of a Nationalised Bank (other than Bank of India / Union Bank Of India) acceptable to Star Union Dai-ichi Life in such format provided by Star Union Dai-ichi Life for a period of Minimum 12 months or till the completion of project. Which ever is greater, as may be informed from time to time.

2. Star Union Dai-ichi Life shall be entitled to invoke the said Guarantee and adjust the

proceeds of the same in case of non completion of project.


Proposal and other formats

5.9. ANNEXURE A Following form should be included in Technical Bid Envelop The CEO Star Union Dai-Ichi Life Insurance Company Limited, 11th

(In the capacity of)

Floor, Raghuleela Arcade, IT Park, Sector 30A, Opp. Vashi Railway Station, Vashi Navi-Mumbai – 400 703 Sirs, Having examined the RFP Document including all annexure the receipt of which is duly acknowledged, we, the undersigned, offer to provide our advisory services to obtain Certification of ISO 27001 for locations mentioned in the scope of work and advisory services for IT Disaster Recovery Planning and Deployment activities mentioned in the scope of work in conformity with the said tender documents in accordance with the Commercial bid and made part of this tender. We understand that the RFP provides generic specifications about all the items and it has not been prepared by keeping in view any specific bidder. We confirm that the information submitted by us in our Bid/Proposal is true and correct. We agree to abide by the Bid/ Proposal and the fees quoted therein. We hereby acknowledge and unconditionally accept that Sun Dai-Ichi Life Insurance (SUD) may on its absolute discretion apply whatever criteria deemed appropriate in short listing and selection of the consultants.. We declare that we have not made any alterations/changes whatsoever in the RFP document and we are fully aware that in the event of any change, the RFP document maintained at the SUD will be treated as authentic and binding and the Bid/Proposal submitted by us will be liable to be rejected by the SUD in the event of any alteration made in the RFP document. We undertake that, in competing for (and, if the award is made to us, in executing) the above contract, we will strictly observe the laws against fraud and corruption in force in India namely “Prevention of Corruption Act 1988”. We understand that you are not bound to accept the lowest, or any other Proposal, you may receive. Dated this ....... day of ............................ 2010 ____________________________________ (Signature and Name) ______________________________________


Technical Proposal format: Particulars to be provided by the bidder in the technical proposal –

Sr. No

Particulars Details to be furnished by the bidder

1 Name of the bidder

2

Year of establishment and constitution Certified copy of “Partnership Deed” or “Certificate of Incorporation” should be submitted as the case may be.

3 Location of Registered office /Corporate office and address

4

Mailing address of the bidder

5

Names and designations of the persons authorized to make commitments to the SUD

6

Telephone and fax numbers of contact persons

7

E-mail addresses of contact persons

8

Details of : Description of business and business background Service Profile & client profile Domestic & International presence Alliance and joint ventures

9

Gross revenue of the bidder Year 2006-07 Year 2007-08 Year 2008-09

10

Net Profit of the bidder Year 2006-07 Year 2007-08 Year 2008-09 Documentary proofs are to be enclosed


Sr. No

Particulars Details to be furnished by the bidder

11

Details of the similar assignments executed by the bidder in Banking and Financial Sector companies and Insurance companies. (Name of the client, time taken for execution of the assignment and suitable contact number of the client to be

12 Copy of company’s currently valid ISO 27001 certificate.

13 List of MBCI/ ISO 27001 LA/ Implementer certified personnel and valid certificates

14

Name of the team leader identified for this assignment and his professional qualifications and experience/expertise Details of similar assignments handled by the said team leader Documentary proofs for all the assertions are to be enclosed

As per annexure D

15

Estimated work plan and time schedules for providing services for this assignment

16

Effort estimate and elapsed time are to be furnished in annexure C

As per annexure C

17

Details of inputs, infrastructure requirements required by the bidder to execute this assignment.

18

Details of the bidder’s proposed methodology/approach for providing services to the insurance company with specific reference to the scope of work.

19 Details of internally developed tools.

20

Details of deliverables the bidder proposes with specific reference to the scope of work.

Seal & Signature of the bidder


Note: - The above proposal format is indicative of minimum requirements. Respondents may furnish additional details, if any.


5.10. ANNEXURE B Commercial Proposal Format Disaster Recovery Management System Sr. No.

Major Milestones Estimated Effort (in person- days)

Quoted Price ( in Rupees)

1 Phase 1- Risk Assessment and Impact Analysis

(indicate monthly effort required)

2 Phase 2 - Recovery resource requirement and Recovery strategy

3 Phase 3 - Development of Disaster Recovery Plan

4 Phase 4 – DR site deployment, testing and maintenance (excluding DR Project Management activities)

(A) Total Effort & Fess XXX XXXXX

(B) Out of Pocket Expenses XXXXXXX

(C) Taxes XXXXXXX

Total Fess for the Assignment (A+B+C)

Program Management of the DR Setup Sr. No.

IT DR site Project Management Activities Provided man-month rate ( in Rupees)

1 Monthly Fees for Program Management of the DR setup post the System Integrator comes on board


Information Security Management System Sr. No.

Major Milestones Estimated Effort (in person- days)

Quoted Price ( in Rupees)

1 Phase 1- Current State Assessment

(indicate monthly effort required)

2 Phase 2 - Risk Assessment and ISMS documentation

3 Phase 3 - Implementation of ISMS 4 Phase 4 - Internal audit and

Certification

(A) Total Effort & Fess XXX XXXXX

(B) Out of Pocket Expenses XXXXXXX

(C) Taxes XXXXXXX

Total Fess for the Assignment (A+B+C)

In case of additional involvement beyond the above milestones, the man-month rate would be INR. ______________ Note: • Consultant is required to provide additional per man-month rate by level for any further

assistance required by the company over and above the scope and effort indicated in this RFP. This rate would be applicable for all extended scope of work associated with the IT disaster recovery plan development related to the company.

• The per man month rate should be valid for a period of 1 year from the date of bid submission post which the same would be mutually agreed in the event the company requires further assistance. The additional per man month rate will not be taken for arriving at the Total Cost of Ownership for the consultancy project

• Per man-month rates to be quoted should not include any expenses and taxes

Seal and Signature of Bidder:


5.11. ANNEXURE C Estimated Effort and Elapsed Time Disaster Recovery Planning Sr. No.

Activities Number and Name of team members who

will be deployed

Total Man-month effort of bidder’s team per

month for this phase

Remarks

1 Phase 1- Risk Assessment and Impact Analysis

2 Phase 2 - Recovery resource requirement and Recovery strategy

3 Phase 3 - Development of Disaster Recovery Plan

4 Phase 4 – DR site deployment, testing and maintenance (Including DR project management)

Information Security Management System Sr. No.

Activities Number and Name of team members who

will be deployed

Total Man-month effort of bidder’s team per

month for this phase

Remarks

1 Phase 1- Current State Assessment

2 Phase 2 - Risk Assessment and ISMS documentation

3 Phase 3 - Implementation of ISMS

4 Phase 4 - Internal audit and Certification

Seal and Signature of Bidder:


5.12. ANNEXURE D Proposed Team Profile

Sr. No.

Name of Proposed Engagement Manager /Proposed

Team Member

Prof. Qualifications

Certifications/

Accreditations

Insurance / consulting expertise

(In terms of years and areas of

expertise)

IT Expertise In terms of years and areas of

expertise

Number of similar

assignments delivered

India

Seal and signature of the bidder Note: - The above curriculum vitae format is indicative of minimum requirements. Respondents may furnish additional details, if any, as a separate Annexure.


5.13. ANNEXURE E Information Security Management System scope of work details– Processes identified for certification Locations under ISMS scope 01. SUD’s office location -

11th Floor, Raghuleela Arcade, IT Park, Sector 30A, Opp. Vashi Railway Station, Vashi Navi-Mumbai – 400 703 02 .SUD’s Primary Datacenter at Airoli 03.SUD’s Disaster Recovery Datacenter

Approximate number of personnel per location Approx no. 500

Technology Infrastructure- Network Infrastructure – Primarily Cisco devices approx. no. 20 (including switches, routers and firewalls)EMC storage area network (25TB) Internet /MPLS n/w- 20 ROs Back office (300 desktops/laptops) Server infrastructure – I-Seies 550 AS400 Qty 1 Microsoft Windows servers qty 25 Database – MS SQL and Oracle enterprise Security Devices – Symantec multi tier protection including mail security,Firewall,IPSService Desk – CA Unicenter Service Desk & Complete report Suits Application Infrastructure - Life Asia (Core Business application) Sun Accounts-Finance Quantis---Investment management SUD Portals MS Exchange 2007 -Emails BI & Reporting System-ProClarity & SQL Suite Ominiflow/Omnidocs scanning & workflow Sales Illustration-Insure connect PT/Rcon/Medcal Inward/Outward Group inhouse applications Blackberry Enterprise Server Microsoft 2003 DC Server MS File & print server HRMS CRM


5.14. ANNEXURE F

(Sample form}

PERFORMANCE SECURITY FORM To: (Name of Purchaser) WHEREAS ................................................................... (Name of Supplier) (hereinafter called "the Supplier") has undertaken, in pursuance of Contract No................. dated,........... 2007. to supply...................... .................................................(Description of Products and Services) (hereinafter called "the Contract"). AND WHEREAS it has been stipulated by you in the said Contract that the Supplier shall furnish you with a Bank Guarantee by a recognised bank for the sum specified therein, as security for compliance with the Supplier's performance obligations in accordance with the Contract. AND WHEREAS we have agreed to give the Supplier a Guarantee: THEREFORE, WE hereby affirm that we are Guarantors and responsible to you, on behalf of the Supplier, up to a total of ................................... ........................................ (Amount of the Guarantee in Words and Figures) and we undertake to pay you, upon your first written demand declaring the Supplier to be in default under the Contract and without cavil or argument, any sum or sums within the limit of ................................ (Amount of Guarantee) as aforesaid, without your needing to prove or to show grounds or reasons for your demand or the sum specified therein. This guarantee is valid until the ........day of................... Signature and Seal of Guarantors (Supplier’s Bank) .................................................................... Date.................................................... .................................................................... .................................................................... Address:....................................................... .................................................................... ....................................................................

End of Document

request for proposal (rfp) - sud life dr isms.pdfrequest for proposal (rfp) appointment of...

Documents