Part 2: Segment wise Detailed Commercial Proposal Format: Summary Sheet (Without Commercials)
SrNo2 Item Description Item Specification(Make/ Model/
Capacity) Unit Qty
Rate (INR) Total (INR) (Rate * Qty * TCO Factor) A
Antivirus Solution Server Hardware Cost ( With OS and Other required System Software, storage, warranty for 3 years) A.1 Data Center
1 Solution Server Number 1
A.2 DR Site
2 Solution Server Number 1
Sub Total (A) (I)
B Antivirus Solution Licensing Cost
B.1 Server Software Licensing Cost Number 2
B.2 Client and distribution node softwareLicensing cost Number 15000 Sub Total (B) for 1 Year
Sub Total (B) for 3 Years (Sub Total B * 3) (II)
C
(C ) One Time Charges (IncludingInstallation, Configuration for serversand clients etc) Number 15000
Sub Total (C ) One Time Charges (Including Installation, Configuration for servers and
clients etc) (III)
D.1 Facility Management for AntivirusSolution for 1styear Year 1
D.2 Facility Management for AntivirusSolution for 2nd year Year 1 D.3 Facility Management for AntivirusSolution for 3rd year Year 1
Sub Total (D) Facility Management Charges for 3 years
(IV)
a. The SI shall suitably and adequately train the Bank‟s or its designated team for fully and effectively manning, operating and maintaining the Antivirus Solution.
b. SI shall provide adequate documentation thereof.
c. The SI shall assist the Bank in migration to new antivirus solution in case the new SI faces any problem during migration.
Sr.
No. Description MaximumScore Scoring Mechanism Credentials 1 Compliance to Technical requirement 200 The Compliance factor
will be scored. Compliance to Annexure 1 2 Reference Sites visit & Presentation onProject Implementation Methodology 200
Site visit and Presentation on Project Implementation and Methodology
3
Overall proposal, description of the services and specifications - Technical
bid 100
Documents submitted in Technical Bid
Total 500
Note
1. The cutoff criteria of the above evaluation parameters is minimum 300 marks across all three above sections
2. In Sr. No.1 - The SI must score a minimum of 80% compliance, even if the SI meets the 300 mark cut-off and does not meet the criteria of 80% compliance to section 1, the SI would have deemed not to be meeting the RFP Technical
requirements and would be dis-qualified.
3. This annexure is for bidders’ reference and need not be submitted with Bid. 4. Bidders need to provide relevant credentials for all of the above points for scoring.
1 Page 23 5.1.9.1 Service Level Agreement The vendor shall ensure that the system gives minimum 99.50% uptime (Calculated on monthly basis, which includes servers, storage, clients on distribution nodes, and solution as a whole). For every 0.10% or fraction thereof of additional downtime, Bank will impose a penalty of 1% of the monthly payment (subject to maximum of 10% of the contract value during Contract Period of three years).
Would seek bank's support for the same. This is possible with appropriate bandwidth availability. Nodes needs to be on line.
99.5% uptime needed for central servers, storage and distribution nodes
2 Page 24 5.1.9.2 Deployment of antivirus software and latest virus definitions.
Latest antivirus software version to be deployed in all machines within 4 weeks from release of the version. 99.50% assets covered by Solution shall have latest virus definitions not older than 1 day from release of the updates. Daily report to be
submitted. Consolidated report every week. 99.5% uptime for solution server.
Possible subject to Nodes availability & appropriate bandwidth for the mentioned activity. Also depends on the number of patches getting released on the given day.
3 Page 24 5.1.9.2 Reporting and validation of
installations Usage of bandwidth from Solutionserver to NAP distribution point and from NAP distribution point to branch distribution point should not cross the threshold limit as per Bank‟s Bandwidth Management Policy, which is currently 10% of total bandwidth during Business Hours (i.e. 10:00 HRs -17:30 HRs). Bandwidth throttling report to be submitted daily. More than 98% clients shall be online in Daily reporting of status of antivirus clients. Consolidated report every week.
This is subject to number of Patch releases on the given day. Subject to the node condition.
No Change in clause
4 Page 24 5.1.9.2 Troubleshoot & resolution computers corrupted due to virus attack
Identify and apply any patch needed for all corrupted machines within 1 day. Performance and scalability review report every quarter Providing historical data of last 6 months immediately.
Archiving is needed. Infrastructure required for keeping data for minimum of 6 Months.
No Change in clause
5 Page 17 5.1.1.8 The deployment of patches shall be
possible through command line tools such as scripting and scheduling it for execution. This schedule is determined by the exposure of Bank’s systems to hostile networks, and by the Bank’s security policy.
Request Bank to clarify the point and expectation form the bidder.
6 Page 21 5.1.5 Client Software
Requirement Memory utilization shall not exceed5% of total memory utilization at any moment
Yes, Subject to systems are as per the application requiremet. If required we may share minimum hardware requirement for the client software. No Change in clause.The solution shall support existing systems of the Bank.
7 Page 22 5.1.7 Resources Shift timing for L1 & L2
engineers are mentioned in the tender. However for L3
engineer we would request bank to provide us the clarification. If L3 engineer is required onsite or not.
L3 engineer is not required onsite
8 Page 71 Part 2
Point C One Time implementationcharges. We assume number nodes tobe 15000 instead of 1500 as mentioned in the tender.
15000 is correct 9 Page 15 & Page 51 For Page 51 Point 1.1.i
Ticket Logging Solution is preferred to have integration capabilities with external ticketing or helpdesk systems (e.g. CA Unicenter etc.)
Request Bank to clarify if bidder has to provide the ticket login system or Bank has its own tool.
Vendor shall provide ticket logging system
10 12 4.1
Purpose Purpose The Bank already has SymantecEndpoint Protection - version 11 software installed in all the PCs and servers of the Bank. The successful bidder shall uninstall the old antivirus software completely and then install the new software. Under no circumstances the conflict of existing antivirus software and proposed antivirus solution shall occur.
1. If the new/same AV software has some known/unknown issues which can only solved by performing format of PC/server and then perform clean install of AV, then who will take data backup and format that machine?
2. If AV software conflict not calculated and more important then is it only for Symantec product please clarify? 3. If uninstallation requires password and admin privileges of existing AV solution is bank going to provide it?
4. Is uninstallation time
calculated in project execution, please clarify.
bidder has complete resposibility to uninstall old antivirus software and install the new antivirus software as per SLA. In certain exigencies, it will be resolved case to case basis.
11 12 4.1
Purpose Purpose The proposed solution shall bescalable so as to support legacy applications used by bank or the Bank may go in for upgradation at a later date.
1. What are the legacy applications used by bank? As the list mentioned in RFP contains only Operation System. Applications list required as solution asked is in suite.
No Change in clause
12 12 4.2
-Project Scope
Project Scope Implement web filtering for providing internet access to users wherever necessary in
branches/offices of bank.
1. What will be design aspect for web filtering servers (Internet Speed, Number of users, Number of concurrent connections,
Standalone/distributed) please
Web filtering solution shall support connections from all branches offices
clarify.
13 13 4.2
-Project Scope
Project Scope Providing online complaint logging
system to the end user. 1. Is bank having any ticketingsystem? If yes then please provide the details such as product used and version. Or simple mail/ phone
communication will be used. Please clarify it.
No Change in clause
14 13 4.3 Project Timeline s
Project Timelines Project Timelines We request that Project Timelines should start from Purchase Order/Contract date.
No Change in clause
15 13 4.3
Project Timeline s
Project Timelines Project Timelines 1. Installation of 20000 clients required time taken is very less. Based on the given calculations at least 1000 clients needs to be installed per day. Which may hamper network, bandwidth and AD performance. Please clarify. All those users will be hampered within those installation time. We request that more time should be factored for
Installation to ensure a propoer installation.
total timespan till UAT is 10 weeks. The bidder shall comply within the period.
16 13 4.3 Project Timeline s
Project Timelines Project Timelines 1. Uninstallation of existing AV software time should be mentioned as part of project plan, please clarify.
No Change in clause
17 15 5.1.1.
General General The SI shall communicate with theOEM for any new virus found within Bank's PCs which the OEM software fails to detect or remove.
1. Any tool to be used for detection is allowed? Please clarify.
strictly no other antivirus tool for zero -day attack. The bidder shall provide solution to resolve the issue.
18 15 5.1.1.
General General Drill down to the cause shall beautomatically through console. Escalations rules shall be as
adjustable as per the requirement of the Bank.
1. Dynamic reporting or static
reporting? Please clarify. No Change in clause
19 16 5.1.1.5 The Bank would also like the bidders
to demonstrate their solution capabilities, integration services and any other innovative and creative services, which the bidder can offer to supplement bank's requirements during the RFP technical evaluation & presentation process.
1. Is POC part of
20 17 5.1.1.7 In case the bank changes network topology / architecture, required modification in Enterprise Wide Antivirus Solution architecture shall be done at no extra cost.
1. If the bank changes the network topology/architecture, causes the solution change in terms of hardware and software for AV will bank provide the
installation/implementation charges? Please clarify
No Change in clause
21 17 5.1.1.9 The bidder shall have load balancing
between DC & DR Solution Servers. 1. Is load balancer needs to beprovided separately as part of solution?
2. Is bank having any load balancing mechanism where this AV can be integrated and load balancing can be
achieved? 3. Load balancing of traffic or clients? Please clarify.
load balancing of distribution nodes' traffic to central servers
22 17 5.1.1.9 The solution shall be able to use
traffic shaping/ policing technique for bandwidth throttling during deployment of virus definitions.
1. Is bandwidth manager needs to be provided separately as part of solution?
2. Is bank having any bandwidth management mechanism where this AV can be integrated and bandwidth can be mentioned as per bank requirement? Please clarify.
Antivirus soltion shall provide
bandwidth throtlling based on traffic speed to each client
23 17 5.1.1.10 The solution shall support the Bank's
Corporate Network which is currently
1. What is the current utilization of leased lines? If they are utilized above 75%
i) Classical P2P Leased Line based (Min. 64 Kbps). Bank is in the process of migrating its P2P based network to MPLS based network and various network topologies /architectures.
currently then AV signature update/Sync/Log
transfer/Reporting will get impacted., Please clarify
1. What is the current
utilization of VSAT bandwidth? If they are utilized above 75% currently then AV signature update/Sync/Log
transfer/Reporting will get impacted., Please clarify ii) VSAT with pooled bandwidth of 8
Mbps (for 700 branches)
24 17 5.1.1.12 Further, any client shall be able to
promote itself as distribution node in case required to distribute the virus definitions and software updates to local LAN PCs. This shall preferably happen automatically. The distribution node shall demote itself to client agent in case it finds 2 existing distribution nodes in same LAN.
1. We can define the policy to make the distribution node which will be manual process not automatic. And depends on the policy defined Please clarify the same.
25 18 5.1.1.12 The Licensing of Solution Server (hardware, software and application) and licensing of Antivirus Client Software on distribution nodes and clients shall continue 3 months further to the expiry of contract period. Extending the services of SI shall solely depend upon the performance of the SI.
1. If the AV expires virus definition updates will not be available and need to update manually with process. This will impact the AV solution hence it is not recommended. Please verify it.
No Change in the RFP Clause. The SI shall ensure necessary Licenses are available during the transition period.
26 18 5.1.2 Under no circumstances the clients
shall pick up updates from solution server directly.
1. It depends on the policies but for update adequate bandwidth should be provided by bank for AV update. Please note.
No Change in clause
27 19 5.1.3 The solution server shall be able to
take input (event alert) from SIEM (Security Information and Event Management Solution) and shall be able to work upon it.
1. This will be process and required some integration and manual intervention.
No Change in clause
28 20 5.1.3 The central server shall acquire the
updates of virus definitions and software updates from authorized sources configured by administrator in real time.
1. Firewall access and adequate internet access required from central server to AV update server over internet.
No Change in clause. Required access will be provided by the Bank
29 20 5.1.3 The antivirus software version cannot be static. The vendor shall keep on upgrading the software in all the PCs whenever new software version is released.
1. Minor updates will be possible major updates required prerequisites to be fulfilled by bank. Please clarify.
No Change in the RFP Clause
30 21 5.1.5 Memory utilization shall not exceed
5% of total memory utilization at any moment.
1. Current memory utilization
of resources? Bank's bandwidthmanagement policy shall be shared with successful bidder
31 21 5.1.6 The solution shall be able to
integrate itself with any existing ticket logging system of the Bank (Service Desk).
1. Is bank having any ticketing system? If yes then please provide the details such as product used and version.
No change in clause
32 22 5.1.7 Resources 1. The resources mentioned
are on shift but not for number of days in week, Please clarify
No change in clause
33 23 5.1.9.2 99.50% assets covered by Solution
shall have latest virus definitions not older than 1 day from release of the updates.
1. Required bandwidth and resources to be provided by bank. Please verify
No Change in clause
34 24 5.1.9.1 97% tickets logged for distribution
node shall be resolved in less than 12 hours and 95% tickets logged for clients in less than 24 Hours.
1. Priority should be assigned to the tickets based on the criticality of the branch and business. For remote branches should not be extended. 2. Instead of resolution , response time should be considered. Please clarify.
35 51 Annexur
e-1 Solution shall support redundancyand failover, means if one server fails, the other shall take over the functions seamlessly.
1. Active Active or Active
passive ? Please clarify e.g in case AV serverat DC fails, then the AV server at DR shall continue providing AV services to all distribution nodes seamlessly 36 12 4.2 Project Scope
Project Scope The broad project scope includes having a single point reference to a System Integrator (SI) for all issues related to implementation and maintenance of the proposed Antivirus solution.
bank should consider scope of other solutions like NAC, Patch Mgmt, DLP, Change Control atleast along with current AV scope. No change in the RFP Clause 37 23 5.1.9 Service Levels
Service Levels system gives minimum 99.50% uptime (Calculated on monthly basis, which includes servers, storage, clients on distribution nodes, and solution as a whole
Such Service Levels can only be meet when bank has complete end point protection like Patch Mgmt, NAC, DLP, Change Control etc. Only AV / Anti spyware / Anti Malware solution is bound to get compromised by the users as they would use pendrive and because systems are not up to date with latest patches and updates. Bank should consider blocking of USB ports / CD for external storage too
No change in the RFP Clause
38 12 4.2 Project Scope
Project Scope The broad project scope includes having a single point reference to a System Integrator (SI) for all issues related to implementation and maintenance of the proposed Antivirus solution.
As per RBI Gopal Krishna Committee report bank has to anyways implement solution like DLP for host, patch management, Change Control NAC etc in near future, request bank to consider to implement this in current project so that there will be a single SLA for endpoints and more important with only one SI. Such
approches are already taken by other bank request bank to consider the same.
No change in the RFP Clause 39 15 5.1.1 General -> reportin g and escalati on
General -> reporting and
escalation ticket logging system to the Bank.The vendor shall also provide online most of the AV solution todayintegrate with known Ticketing / Service desk systems like CA, Remedy, HP Service Desk etc.. Bank has mentioned in the RFP that they already have a Ticketing system. Considering another ticketing system only for AV solution is not
technically & commercially feasible. Request bank to leverage on existing Ticketing system of bank. please delete this point.
40 15 5.1.1 General -> reportin g and escalati on
General -> reporting and
escalation ticket logging system to the Bank.The vendor shall also provide online Ticketing system is not asked tobe quoted in technical masked / Commercials format
(Appendix1 Form 02). For better transperency banks should provide no of users accessing ticketing systems and include specification of
ticketing system. Please understand if we bundle the cost of Ticketing system with AV solution, bank will find AV solution expensive No Change in clause 41 26 6.3 Commer cial Bid Evaluati on
Commercial Bid Evaluation The total cost of ownership shall be calculated over the contract period of 5 years.
these is ambiguity in RFP. Section 6.3 Commercial bid contradicts with Appendix1 Form 02 Part 2 Page 71 which says TCO as 3 years. Please provide clarity
The clause to be read as:
The total cost of ownership shall be calculated over the contract period of 3 years.
42 12 4.2
Project Scope
Project Scope The broad project scope includes having a single point reference to a System Integrator (SI) for all issues related to implementation and maintenance of the proposed Antivirus solution.
There is no mention in the RFP about "ability to detect malware infected Banking systems and endpoints trying to connect from inside to the outside malware infection points, command and control centre and the drop points" Botnets, malware attacks infect IT systems and try to take out
No change in the clause
Banking data. Fraudsters take out every possible data from infected botnet clients inside the Bank's network. This data is sold in the underground fraud market and could include sensitive information, customer records, etc. The Bank should look at intelligence service that provides daily blacklist containing list of known malicious hosts which can integrated to existing Banking security systems via script/ such integration which would automate the
identification / alerting of Banking devices connecting to the malicious hosts, drop zones, C&C etc. Bank can also add the daily blacklist feeds to their the blocking list of network security devices / applications such as firewalls, mail relays, exchange/
messaging systems (anti-spam filters), IDS/IPS (intrusion detection and prevention systems) etc. This will block infected systems from communicating with the drop zones etc. and also prevent
data exposures. Even in case of 0 day vulnerability/ targeted attack, the Bank can be kept secure from such issues by having such a service. This information will enable the Bank's security
professionals & the bidder to have detection and
remediation incidents of: - Potential data exposures - Employee identity theft - Infected corporate machines.
43 General : Limitation of Liability LIMITATION OF LIABILITY : We
request following clause to be added in the RFP:1.1. Neither Party shall be liable in connection with this RFP/Agreement and/or a Statement of Work, whether under contract, tort or
otherwise, for (a) any indirect, consequential, incidental, punitive, exemplary or special Losses; or (b) loss of
data/programs, loss of profits or revenue, loss of anticipated savings and loss of goodwill, even if the loss or damages was reasonably foreseeable or a Party has been advised of the
possibility of such damages.1.2 Subject to clause 1.3, each Party's and its Affiliates' aggregate and collective liability arising out of or in connection with this RFP/Agreement and any Statement of Work (whether in contract, tort, negligence, under an indemnity or by statute or otherwise) entered into subject to its terms, will, to the extent permissible by law, be limited to the amount of Loss directly resulting from the relevant cause of action and will also not exceed the Annual Charges (excluding
reimbursement of expenses, pass-through expenses, taxes and amount attributable to purchase of hardware and software on behalf of
Customer) paid or payable by the Customer to Supplier under the relevant Statement of Work to which the cause of action relates. For the purpose of this clause 0, “Annual Charges” mean the annual average Charges paid to the Supplier in respect of Services
delivered under the relevant Statement of Work. For the avoidance of doubt any claim made under an SOW, where the tenure of the SOW is less than 12 months, Annual Charges shall mean the value of such SOW.1.3 The
limitations of liability set out in clause 1.2, shall not apply to:a) wilful misconduct or fraud (including fraudulent);b) death or personal injury resulting from the negligence of a Party;c) breach of
Confidentiality obligations and clause Intellectual Property Rights); d) any Losses suffered by a Party pursuant to any Employment Regulations as provided in RFP/Agreement and/or a Statement of Work; ande) Customer’s payment obligations under this
Agreement.1.4 Any third party hardware and/or software are provided on an ‘as is” basis and Parties acknowledge that HCL shall have no liability in respect to any such hardware and/or software provided pursuant to this Agreement.1.5 Both
Parties shall in any event use all reasonable endeavours to avoid or mitigate any Losses which may arise under or in connection with this
Agreement, regardless of its form.
44 39 9.5 “The SI is not absolved from its
responsibility of complying with the statutory obligations as specified above. Indemnity would be limited to court awarded damages and shall exclude indirect, consequential and incidental damages. However indemnity would cover damages, loss or liabilities suffered by the bank arising out of claims made by its customers and/or regulatory authorities.”
We request that this clause be removed as Bank has a vast customer base and HCL cannot give indemnity for any claims. The claims must be subject to reasons directly attributable upon HCL , its employees . The ideal clause to be substituted with the existing clause of RFP is reproduced below and request the same to be included in RFP;Each Party hereby undertake to defend, indemnify and keep
indemnified (and where a Party is so indemnifying it shall be the “Indemnifying Party”) the other Party (a Party being indemnified shall be the “Indemnified Party”) against any unaffiliated third party claim and any resultant damages finally awarded by court of competent jurisdiction alleging that the Software and
Materials or any part thereof provided by the Indemnifying Party constitutes an
infringement or alleged infringement of any patent or copyright of a third party, provided that the Indemnified Party shall:a) give written notice of any such claims to the Indemnifying Party within five Business Days of knowledge of such claim; b) provide the Indemnifying Party with reasonable assistance in defending the claim;c) make no admission without
Indemnifying Party’s prior written consent; and d) give the Indemnifying Party sole control of the litigation. Provided that if an allegation of infringement of third party IPRs is made as provided for in this clause 14, the Indemnifying Party shall: e) procure the right to continue using the affected Software or Materials; f) replace, remove or modify any part of any affected Software or Materials with a non-infringing Software or Materials so as to avoid the
alleged infringement; org) if none of the above are
reasonably possible, accept the return of the infringing
Software or Materials and refund the amounts paid for such Software or Deliverables after deduction of pro rata amounts for use until such dateThe indemnity in clause 14 shall not apply to the extent that the claim arises as a result of:h) a Party acting on the express instruction of the Indemnified Party to do or cause to be done the specific acts that resulted in the infringement or alleged infringement;i) the Services Specification that were provided by the Party seeking indemnity; j) modification of the allegedly infringing
materials by a party other than a Indemnifying Party.
45 General: IPR • HCL to own its Pre-existing IP, Third Party IP to belong to third party, Developed IP to belong to Customer (where asked & subject to payment)
• Restriction on use of Pre-existing and third party IP in isolation or as stand-alone. Third party IP shall be subject to third party license terms and conditions
No Change in clause
46 General Excusing Clauses : HCL shall not
be liable for any failure to perform (or any delay in performing) any of its obligations under either this Agreement or any Statement of Work if the failure or delay results from any of the following (each, an “Excusing Cause”) and request the same to be suitably changed in RFP: a) a failure or delay by the Customer, its Affiliates and/or its other contractors in performing any of their obligations having an impact on the provision of Services; or b) a failure or delay by the Customer, it’s Affiliates and/or its other contractors in
providing HCL with the agreed
assistance, inputs or facilities set out in or reasonably required in connection with a Statement of Work; or c) HCL acting in accordance with an express instruction provided by the Customer. HCL shall make all reasonable endeavours to continue to provide the Services to
mitigate the impact of Excusing Cause and Customer shall compensate HCL for any additional costs and expenses incurred by HCL as a result thereof and the parties also agree to extend the HCL delivery timelines accordingly..
47 General DISCLAIMER OF LIABILITIES :
We request Bank to
acknowledge below clause and change in RFP:Bank
acknowledges and is aware that the Bidder does not manufacture the Products (or where the Products comprise computer software does not publish or license the software) and subject to the conditions set out in this Clause, the Bidder only sells the Products with the benefit of the
manufacturer's or publisher's or licensor's (“publisher's”) warranty (as the case may be).The Bidder will accept liability for defective Products only to the extent that the Bidder is entitled to make a claim under the manufacturer's or publisher's, Dead on Arrival, warranty or other defective goods terms and actually obtains from the manufacturer or publisher a refund credit repair or replacement in respect of the defective Products and the claims for the same shall be made according to the manufacturer's
procedure and the instructions only.
48 General Other Recommendations on
RFP
• No indemnity for general breach of contract. Standard indemnification procedure should be included in any contract which may be entered pursuant to the bid. No
worldwide IP indemnity, specifically for Patents and No IPR indemnity if Customer fails
to follow guidelines and instructions. Right with HCL to replace infringing version / procure license to use / obligation to refund fee after deducting usage charges • Customer IP Indemnity for customer software/material. • Subcontracting clause- HCL to be able to perform services through its subsidiary and affiliates
• No general or implied warranties to be provided • Defined Acceptance Test & Criteria and to have Deemed Acceptance clause
• Compliance of back to back OEM obligations wherever applicable.
• HCL shall have the reasonable access to all the Onsite
facilities
• Any penalty/SLA should be appropriately capped and governed by LOL clause • The right of HCL to suspend / terminate this Agreement if the payment under the contract is delayed. If Sub contracting is required to be done by HCL , we request that Bank shall
provide its consent without unnecessary delay.
