RFP website security audit of Delhi Govttte.delhigovt.nic.in/DoIT/DoIT_IT/IT...
Transcript of RFP website security audit of Delhi Govttte.delhigovt.nic.in/DoIT/DoIT_IT/IT...
-
Web Security Audit – Request for Proposal
Department of IT, GNCT Delhi Page 1 of 56
REQUEST FOR PROPOSAL (RFP)
FOR
WEBSITE SECURITY AUDIT OF
DELHI GOVERNMENT DEPARTMENTS,
AUTONOMUS & LOCAL BODIES
DEPARTMENT OF INFORMATION TECHNOLOGY
Government of N.C.T of Delhi
B-Wing, 9th floor
Delhi Secretariat, New Delhi – 110 002
http://www.it.delhigovt.nic.in
-
Web Security Audit – Request for Proposal
Department of IT, GNCT Delhi Page 2 of 56
Summary Sheet
Name of the Department: Department of Information Technology.
Govt. of N.C.T of Delhi
Date of issue of R.F.P: 22nd October, 2007
Last Date and Time for submission of
queries by E-mail : [email protected] :
1st November, 2007 by 6.00 P.M
Answers to the Bidder’s Questions will
be available at www.it.delhigovt.nic.in :
7th November, 2007
Last Date and Time for Receipt of
Proposal:
14th November, 3 P.M
Date and Time of Opening of Technical
Bids:
14th November, 3.30 P.M
Place of Opening of Bids: Conference Hall of Information Technology
Department, Room No. 902, B Wing, Level 9,
Information Technology Department, Delhi
Secretariat, New Delhi
Address for Communication: Deputy Secretary (Information Technology),
Department of Information Technology,
9th Level, B-Wing,
Delhi Secretariat, New Delhi 110002
Note:
• This bid document is not transferable.
• Bids without relevant documents as specified in this RFP , should be summarily
rejected .
-
Web Security Audit – Request for Proposal
Department of IT, GNCT Delhi Page 3 of 56
Disclaimer
The information contained in this Tender Document or subsequently provided to Bidder(s)
or Applicants whether verbally or in documentary form by or on behalf of Secretary,
Department of Information Technology, Government of N.C.T of Delhi or any of their
employees or advisors, is provided to the Bidder(s) on the terms and conditions set out in
this Tender Document and all other terms and conditions subject to which such information
is provided.
This Tender Document is not an agreement and is not an offer or invitation by the
Secretary, Department of Information Technology, Government of N.C.T of Delhi to any
party other than the Applicants who are qualified to submit the Bids (“Bidders”). The
principle of this Tender Document is to provide the Bidder(s) with information to support
the formulation of their Proposals. This Tender Document does not purport to contain all
the information each Bidder may entail. This Tender Document may not be apposite for all
persons, and it is not possible for the Secretary, Department of Information Technology,
and Government of N.C.T of Delhi of their employees, or advisors to consider the
investment objectives, financial situation, and particular needs of each Bidder who reads or
uses this Tender Document. Each Bidder should conduct its own investigations and
analysis and should check the accuracy, reliability and completeness of the information in
this Tender Document and where necessary obtain independent advice from appropriate
sources. The Secretary, Government of N.C.T of Delhi their employees and advisors make
no representation or warranty and shall incur no liability under any law, statute, rules or
regulations as to the precision, reliability or completeness of the Tender Document. The
Secretary, Department of Information Technology , Government of N.C.T of Delhi, may in
their absolute discretion, but without being under any obligation to do so, update, improve
or supplement the information in this Tender Document.
-
Web Security Audit – Request for Proposal
Department of IT, GNCT Delhi Page 4 of 56
Table of Contents
Sr.No Description Page No.
I Instruction to Bidders 6
1.1 Introduction and Background 6
1.2 Objectives 6
1.3 Submission of proposals 7
1.3.1 Bid Security 9
1.3.2 Pre-Qualification/Eligibility 10
1.3.3 Technical Proposal 11
1.3.4 Financial Proposal 11
1.4 Disqualification 12
1.5 Evaluation Process 12
1.6 Award and duration of work 14
1.7 Subcontracting and/or outsourcing of work. 14
1.8 Termination of the work 15
1.9 Penalties 15
1.10 Payment Terms and Conditions 15
1.11 Performance Guarantee 17
1.12 Audit Environment 17
1.13 Indemnity 17
1.14 Responsibility of the Auditor 18
1.15 Liability in respect of Damage 18
1.16 Quality of Audit 18
1.17 Confidentiality and Copyright 18
1.18 Validity of Proposals 19
1.19 Right to accept/reject the Proposals 19
1.20 Fraud and Corruption 19
1.21 Clarifications and amendments of RFP 20
1.22 Force Majeure 20
1.23 Arbitration 21
1.24 Follow-Up and Compliance 21
1.25 Exit Plan 21
-
Web Security Audit – Request for Proposal
Department of IT, GNCT Delhi Page 5 of 56
II Terms of reference 22
2.1 Scope of the Work 22
2.1.1 Task1: Web Security Audit/Assessment 22
2.1.2 Task2: Re-Audit based recommendation report of Task1 24
2.1.3 Task3: Re, Re-Audit, if required based on the Task2 24
2.2 Deliverables and Audit Report 25
2.3 Exceptions of Audi tee Organization from the Auditor 26
2.4 List of websites of Delhi Government Departments/ Local
bodies /Autonomous Bodies
29
III List of Annexures
3.1 Annexure 1: Notice of Intent to Bid 32
3.2 Annexure 2: Proposal Covering Letter 33
3.3 Annexure 3: Pre-Qualification Bid Covering letter 36
3.4 Annexure 4: Pre-Qualification Format 38
3.5 Annexure 5: Technical Bid Proposal 40
3.6 Annexure 6: Technical Bid Format 44
3.7 Annexure 7: Financial Proposals Format 45
3.8 Annexure 8: Project Experience Format 46
3.9 Annexure 9: Undertaking Format 47
3.10 Annexure 10: Curriculum Vitae 48
3.11 Annexure 11: Bid Security Format 49
3.12 Annexure 12: Performance Bank Guarantee Proforma 50
3.13 Annexure 13: List of Personnel 53
3.14 Annexure 14: Guidelines & Sample Audit Report Format for
Website Audit as per NIC norms.
54
-
Web Security Audit – Request for Proposal
Department of IT, GNCT Delhi Page 6 of 56
Section 1: Instructions to Bidders
��� Introduction and Background
A secure Web portal creates a single doorway to online services to the citizens. This
doorway generates new opportunities to strengthen relationships and increase the value
of services delivered to citizens, and employees. To take advantage of these
opportunities, it is necessary to mitigate the risk of sharing information, accepting
commitments and delivering services over the public Internet. A secure web portal
mitigates risk of unauthorized access to resources, has an auditable trail to support
transactions, particularly those with high sensitivity or high value, protects important
information from the moment it is entered by the user and as it continues through back-
end applications and workflow processes, strengthens on-line relationships enabling
more and more applications and services to be integrated with and accessed via the
high-value web portal. Also submission of data on a web portal to its final destination
in multiple back-end applications, information needs to be protected from unauthorized
access or use.
The Government of National Capital Territory of Delhi was among the first few States
to recognize the importance of Internet and Information Communication Technology
(ICT) services in functioning of Government Departments/Corporations/Local bodies
and taken many initiatives to utilize this potential and bring it into a ground reality.
This led to brining ease for citizens in interacting with the Government, appropriate
utilization of Government resources, re-engineering the organizations and designing a
suitable framework.
The web portal of the Delhi Government i.e www.delhigovt.nic.in, provides a single
point of information and interaction, for all citizens, visitors and businesses. The
websites of various Departments are further enabling the Government to bring G2C,
G2G and G2B services to the citizens.
��� Objectives
The objective of this proposal is to conduct the Audit to discover any
vulnerabilities/weaknesses/attacks in the website(s) and web application(s), which are
listed in this RFP. The Audit should be done by using Industry Standards and as per the
Open Web Application Security Project (OWASP) methodology.
-
Web Security Audit – Request for Proposal
Department of IT, GNCT Delhi Page 7 of 56
The main objectives for conducting this website security audit is to:
1. Identify the security vulnerabilities, which may be discovered in the website and
website application security audit including cross-site scripting, Broken
ACLs/Weak session management, Buffer Overflows, Forceful browsing, CGI-BIN
manipulation, Form /hidden field manipulation, Command injection, Insecure use
of cryptography, Cookie posing, SQL injection, Server miss-configuration, Well-
known platform vulnerabilities, Errors triggering sensitive information leak etc. on
the websites of the Delhi Government’s Departments /Corporations/Local bodies;
2. Requirements and analysis performed to increase overall security posture;
3. Identification and prioritization of various risks to the websites;
4. Gain a better understanding of potential website its applications and vulnerabilities;
5. Determine if the current websites of the Departments are secure and evaluate the
security.
6. Identify remedial solutions and recommendations for making the web site
applications secure.
7. Rectify / fix identified potential vulnerabilities, and web application vulnerabilities
thereby enhancing the overall security.
��� Submission of Proposals
The proposals shall be prepared in a three-cover format (one each for pre-qualification,
technical and financial documents, (a)Pre-qualification details as per Annexure 3&4,
Technical details, as per Annexure 5 & 6 and Financial details as per Annexure-7)
The Bidder shall submit Pre-Qualification Bid, Technical Bid and Financial Bid
documents in separate wax sealed envelopes prescribing Pre-qualification, Technical
and Financial Bid on the top left hand corner. All these three sealed covers are to be put
in a bigger cover which should also be sealed and dully super scribed.
Sealed proposals will be received at the front desk of the Deputy Secretary, Department
of Information Technology, Government of N.C.T of Delhi , New Delhi-110002 by
14th November 2007.
-
Web Security Audit – Request for Proposal
Department of IT, GNCT Delhi Page 8 of 56
Addressed to :
SECRETARY (Information Technology)
DEPARTMENT OF INFORMATION TECHNOLOGY,
Government of NCT of Delhi,
9th floor, B-Wing
Delhi Secretariat, New Delhi – 110002.
Following are terms and conditions for the particular tender bid submission:
1. The tenderer cannot bid in consortium
2. All proposals should be submitted in English language only.
3. Award of the contract resulting from this tender will be based upon the most
responsive Bidder whose offer will be the most advantageous to Information
Technology Department in terms of cost, functionality and other factors as
specified.
4. Department of Information Technology, Government of N.C.T of Delhi
reserves the right to reject any or all offers and discontinue this tender process
without obligation or liability to any potential Bidder
5. The Bidder will confine its submission to those matters sufficient to define its
proposal, and to provide an adequate basis for Information Technology
department’s evaluation of the Bidder’s proposal.
6. All proposals received after the specified date and time shall not be considered
for award of work.
7. The Secretary, Department of Information Technology, Government of N.C.T
of Delhi will not accept delivery of proposals by fax or E-mail. Proposals
received by facsimile shall be treated as defective, invalid and rejected.
8. The original and copies of the bid, each consists of the documents listed in
instructions, shall be typed and shall be signed by the bidder or a person(s) duly
authorized to bind the bidder to the contact.
9. The Department of Information Technology, Government of N.C.T of Delhi,
will be under no legal obligation to provide employment to any of the personnel
of the contractor after expiry of agreement period and the Department
recognizes no employer-employee relationship between the Department and the
personnel deployed by the contractor.
10. The contractor shall comply with all the statutory provisions as laid down
under various Labour Laws/Acts/Rules like Minimum Wages, Provident Funds,
-
Web Security Audit – Request for Proposal
Department of IT, GNCT Delhi Page 9 of 56
ESI, Bonus, Gratuity, Contract Labour Act and other Labour Laws/Acts/Rules
in force from time to time at his own cost. In case of violation of any such
statutory provisions under Labour Laws or any other law applicable by the
Contractor, there will not be any liability on Department/Government.
11. The contractor shall not employ any person who has not completed eighteen
years of age.
12. The department shall not be responsible financially or otherwise for any injury
to the staff deployed by the contractor in the course of performing the duty for
and on behalf of the contractor.
1.3.1 Bid Security
a) The Bidder shall furnish, as part of its technical proposal, an original bid security in
the amount of India Rupees (Rs) 4,00,000 /- (Four Lakhs) only.
b) The Bid security shall be in the form of Demand Draft/Bankers’ Cheque/ Bank
Guarantee drawn in favour of Secretary, Department of Information Technology
issued by a Scheduled Bank. The Bid Security shall be valid for period of 45 days
beyond the final bid validity period.
c) The Bid Security must be submitted in the Technical Bid Cover.
d) Any proposal not sealed shall be rejected by the Department of Information
Technology, Government of N.C.T of Delhi
e) The Bid Security provided by the Bidder whose proposal is accepted shall be repaid
or discharged when the Performance Security has been duly submitted when the
vendor and vendee enter into and execute a Contract.
f) Bid security of unsuccessful bidders will be returned within and not later than 30
days of award of contract to the successful bidders.
g) Bid Security will be provided as per Annexure-11.
h) Forfeitures of Bid Security:
The Bid Security may be forfeited:
� if a bidder withdraws its bid during the period of validity of his proposal as
specified by the bidder in his proposal; or
� in the case of the successful bidder, in case the bidder fails -
o to sign the contract or
o to furnish performance security as mentioned at Annexure-12 of the
RFP
-
Web Security Audit – Request for Proposal
Department of IT, GNCT Delhi Page 10 of 56
1.3.2 Pre-Qualification/Eligibility Criteria for Bidders
Eligibility Criteria: Pre-qualification proposal as specified in Annexure 3 and 4 will be
used to evaluate if the bidder’s technical skill base financial capacity are consistent
with the needs of the project. Following criteria has been defined for eligibility of an
audit firm (copy of the documentary evidence must be submitted.) The audit firms that
qualify the below mentioned criteria need only apply.
a). This invitation is open to all Indian firms/company (the bidder).
b). The firm/company must be a company registered under the Indian Companies Act,
1956/ The Partnership Act, 1932 or Registration of Societies Act.
c). The bidder must have been empanelled by CERT-IN, having an empanelment
certificate valid up to 31st March 2008. Proof of this will have to be submitted.
d). The bidder should have been in operation for a period of at least 3 years as of 31-3-
2007 as evident by the Certificate of Incorporation and Certificate of Commencement
of Business issued by the Registrar of Companies, India.
e). The bidder should have had an average turnover of (Rs) 25,00,000/- (Twenty five
Lakhs) only during the last 3 financial years in Information Technology related
operations i.e. for the financial years 2004-05, 2005-06 & 2006-07 as revealed by
audited accounts.
f). The bidder should have adequate number of Certified Information Systems Auditor
(CISA / CISSP qualified professionals (say a minimum of 5), so as to associate them
with each audit team auditing listed websites in this RFP simultaneously.
g)The bidder should give commitment to deploy a Project Manager in the project, who
should be a Graduate in Engineering (B.Tech/B.E) and having at least 10 years
experience in the Information Technology field, out of which he/she should have
minimum three years experience in the Security Audit related Projects. He/She must be
a Certified Information Systems Auditor (CISA). The bidder should have at least 5
security audit certified professionals on rolls who have sufficient experience in
Information Technology & Web security audit and they must have Certified
Information Systems Auditors (CISA)/CISSP. The details of Project Manager/Auditors
for this project has to be submitted as per the format mentioned at Annexure-10 with
this bid.
h) The bidder should have experience of conducting similar Website Audit as proposed
by Department of Information Technology, Government of N.C.T. of Delhi of a
-
Web Security Audit – Request for Proposal
Department of IT, GNCT Delhi Page 11 of 56
minimum of 3 audit projects in organizations like banks, financial institutions,
Insurance Companies or Government departments.
i) The bidder should have SEI CMM Level 5 or higher Certificates.
j) The bidder should own at least one commercial Security Audit Tool. Name,
Description of the tool needs to be defined. Proof of this will have to be submitted.
k) The bidder should have at least one implementation/technical support office in the
National Capital Region.
l) The bidder should have to submit the proof for the eligibility criteria including Sales
Tax Registration, Income Tax PAN Number and Etc., .
1.3.3 Technical Proposal
The Technical Bid shall include the detailed project plan for website security Audit
Corresponding to the deliverables as required by Department of Information Technology,
Government of N.C.T. of Delhi, for the project. The project plan should indicate the
milestones and time frame of completion of the different activities of the project. The bidder is
required to give details of the Project Management Methodology, Audit Standards and
methodology along with the quantum of resources to be deployed for the project, qualifications,
experience of personnel deployed, in the technical bid. Resources and support required from
Department of Information Technology, Government of N.C.T. of Delhi, may also be clearly
defined. The technical bid is required to be submitted in the format as given in Annexure 5 & 6
1.3.4 Financial Proposal
Following are the terms and conditions for the Financial Proposal
1. This tender is for a fixed price bid.
2. The financial proposal shall be priced in Indian Rupees.
3. The Financial proposal shall clearly indicate, as per the Financial Summary
Sheet in Annexure-7, the total costs of carrying out the services as described in
the Terms of Reference (TOR) as well as taxes namely Value Added Tax
(VAT) and Service Tax etc wherever applicable.
4. The quotations shall be fixed and shall not allow for any fluctuation in costs of
labour, transport, etc. No adjustment shall be made to the contract value for any
fluctuation arising following submission of tender.
-
Web Security Audit – Request for Proposal
Department of IT, GNCT Delhi Page 12 of 56
��� Disqualifications
Department of Information Technology, Government of N.C.T of Delhi may at its sole
discretion and at any time during the evaluation of Proposal, disqualify any bidder, if
the bidder has:
a. Submitted the Proposal documents after the scheduled date and time;
b. Made misleading or false representations in the forms, statements and attachments
submitted in proof of the eligibility requirements;
c. Exhibited a record of poor performance such as abandoning works, not
properly completing the contractual obligations, inordinately delaying
completion or financial failures, etc. in any project in the preceding three years;
d. Submitted a proposal that is not accompanied by required documentation or is non-
responsive;
e. Failed to provide clarifications related thereto, when sought;
f. Submitted more than one Proposal;
g. Declared ineligible by the Government of India/State/UT Government for
corrupt and fraudulent practices or blacklisted.
h. Submitted a proposal with price adjustment/variation provision.
Please note that the Department of Information Technology, Government of N.C.T. of
Delhi reserves the right to carry out the capability assessment of the “Bidder” and
the Department's decision shall be final in this regard.
1.5 Evaluation Process
A three-stage procedure (i.e Pre-Qualification criteria, Technical Bid and Financial
Bid) will be adopted for evaluation of proposals. The process for evaluation of
proposals is as given below:
a) Pre-qualification Criteria Evaluation: Preliminary scrutiny of the
Proposals for eligibility will be done to determine whether the Proposals
are complete, whether the documents have been properly signed,
whether any computational errors have been made, and whether the
Proposals are generally in order. Proposals not conforming to
Prequalification eligibility criteria shall be rejected summarily. Proposal
responses conforming to preliminary scrutiny shall be checked for
conformance to the prequalification eligibility criteria. Non-conforming
Proposals shall be out rightly rejected.
-
Web Security Audit – Request for Proposal
Department of IT, GNCT Delhi Page 13 of 56
b) Technical Evaluation: An Evaluation Committee will assess all the bids received.
Technical Proposals would be opened only for those bidders, who have been qualified
during the Prequalification Evaluation of Proposals. If a Technical Proposal is
determined as not substantially responsive, Department of Information Technology,
Government of N.C.T. of Delhi will reject it. Technical Proposals conforming to Pre-
qualification eligibility criteria will be taken up for detailed Technical evaluation. All
the bidders who secure a Technical Score of 70% and above will be declared as
technically qualified for this bid with Department of Information Technology,
Government of N.C.T. of Delhi .The technical proposal will be evaluated as per the
Technical Evaluation Criterion mentioned in the following table:-
TECHNICAL VALUATION CRITERIA Weightage (%)
1a) Experience in working with Government
Departments and Public Sector undertaking for
similar Projects
05
1b ) Quality Management Standards/Certifications 05 Number of
Projects
Number
of Marks
3 15
4-10 17
1
1c) Experience in conducting similar website and
web application Security Audit
More than 10 20
2a) Level of understanding of the Project 05
2b) Vendor’s Proposed Technical solution: Type of
Security assessment toll will be used for identifying
Security Vulnerabilities tolls (Licensed /Free) and
Technologies.
15
2
2c) Project implementation Methodology giving
approach of vendor along with rollout plan, Project
Management and Reporting.
10
Manpower Deployment:
3a) Level of skills and experience 10
3
3b) Certification relevant to the role described (such
as CISA and CISSP)
10
-
Web Security Audit – Request for Proposal
Department of IT, GNCT Delhi Page 14 of 56
3c) Relevance of Experience of the Individual to the
Website & Web Application Security.
5
3d) Number of Personnel in various categories
proposed to be deployed on the ground.
5
4 Sample Reports, Fulfilment of Audit Requirements
as per this RFP Scope of Work - The extent to which
Bidder’s proposed solution fulfils Information
Technology Department stated requirements as set
out in this tender. An assessment of the Bidder’s
ability to deliver the indicated service in accordance
with the specifications set out in this tender
10
c) Financial Bid Evaluation: The evaluation of the financial proposals shall be
carried out considering the total cost of the project to Department of Information
Technology, Govt of NCT of Delhi as indicated in the formats suggested for
furnishing the Financial Bids vide Annexure –7.
The Department of Information Technology, Government of N.C.T of Delhi, may, at
their discretion and without explanation to the prospective Bidders, at any time
choose to discontinue this tender without obligation to such prospective Bidders.
1.6 Award and Duration of the work
On acceptance of Proposal for awarding the contract, Department of Information
Technology, Government of N.C.T. of Delhi will notify the successful bidder in
writing that their proposals have been accepted. Department of Information
Technology, Government of N.C.T. of Delhi and successful bidder shall sign the
Contract Agreement at the time of signing of Contract. After signing of the Contract
Agreement, no variation in or modification of the term of the Contract shall be made
except by written amendment signed by the parties. The successful bidder has a
period of 15 days to start the work. The successful bidder is expected to complete
the work within a period of 180 days once the work has started.
1.7 Subcontracting and/or Outsourcing of Work
Outsourcing / subcontracting of work will not be permissible in any form. The
selected bidder after the award of the contract, pursuant to this RFP shall not
subcontract, transfer, or assign any portion of the contract and if awarded a contract
-
Web Security Audit – Request for Proposal
Department of IT, GNCT Delhi Page 15 of 56
pursuant to this RFP, the selected vendor shall be the solely and wholly responsible
to perform the work. Subcontracting/outsourcing will lead to termination of contract
and forfeiture of Performance Guarantee. In case of such unavoidable circumstances,
the audit firm/company has to take prior written permission from Department of
Information Technology, Government of N.C.T. of Delhi for engaging such agency
or individual.
1.8 Termination of the Work
The Information Technology Department, Government of NCT of Delhi, without
prejudice to its rights under the Conditions of tender or any other remedy for break of
Contract, shall have the right to terminate contract of the Auditor at any time, if, the
Auditor breaches any of the terms and conditions –
• Mentioned in this document or in the Award of Contract;
• As defined by CERT-IN, Department of Information technology, Min .of
Information Technology, Government of India
• The contract may also be terminated in case, the Information Technology
Department is of the view that the Auditor’s performance or competence
fails to meet the standards required for the Audit assignment.
��� Penalties
For any delay in completion of the task beyond the 180 days period from the date of
award of work, the liquidated damages of a sum equivalent to 0.5% of the project value
for every day of delay, up to a maximum of 30% of the contract value shall be
deducted from the project value. Once the maximum, penalty amount is reached,
termination of the contract of shall also be made.
1.10 Payment Terms and Conditions 1. The bidder will offer commercial quote, based on fixed cost, inclusive of VAT, Service
Tax etc. and other duties, cess, fees etc., if any and Department of Information Technology,
Government of N.C.T. of Delhi will not pay any additional amount other than indicated in
the offer.
2. TDS will be deducted at source for any payment made, as per rules of Government of
India.
3. Department of Information Technology, Government of N.C.T. of Delhi will neither
provide nor reimburse expenditure towards any type of accommodation, travel ticket,
airfares, train fares, halting expenses, transport, lodging, boarding etc.
-
Web Security Audit – Request for Proposal
Department of IT, GNCT Delhi Page 16 of 56
4. Department of Information Technology, Government of N.C.T. of Delhi may impose
penalty, in case of delay of any deliverables at the rate of 0.5% per week delay, either for
completion of audit exercises or submission of draft reports, subject to a maximum of 30 %
of the total cost, for all delays attributable directly to the Audit Firm/Company.
5. The audit firm/company will not sub contract part or complete assignment to any other
agency or individual. In case of such unavoidable circumstances, the audit firm/company has
to take prior written permission from Department of Information Technology, Government of
N.C.T. of Delhi for engaging such agency or individual.
6. The audit firm/company shall keep information related to this project confidential and will
not divulge to outside agencies without written consent from Department of Information
Technology, Government of N.C.T. of Delhi.
7 If selected, the Audit Firm/Company shall have to sign agreement.
8.Payment Schedule:
The payment terms for the bidder’s services shall be as follows:
Sl. No Payment milestones Payment in
Percentage
(i) On confirmation of award of contract and submission
of performance security
10% payment
for total of
payment for
Task 1 to 3
(ii) After submission of Report as per Task 1: Web
Security Audit/Assessment
30% payment
for total of
payment for
Task 1 to 3
(iii) After submission of Report as per Task 2: (Re-Audit
based on the vulnerabilities identified from Task1)
30% payment
for total of
payment for
Task 1 to 3
(iv) After submission of Report as per Task 3: (Re,Re-
Audit based on the vulnerabilities identified from
Task2)
30% payment
for total of
payment for
Task 1 to 3
-
Web Security Audit – Request for Proposal
Department of IT, GNCT Delhi Page 17 of 56
1.11 Performance Guarantee
The successful bidder shall furnish the performance security representing 10% of the
total value of the contract within 15 days of the receipt of notification of award as per
the Performance Guarantee Proforma provided in Annexure-12.
Performance security should remain valid for a period of 60 days beyond the date of
completion of all contracts.
1.12 Audit Environment
The Audit may be conducted at the successful bidder’s site by accessing remotely. The
auditors from their own location will carry out external audit. However the successful
bidder need to take the required permission from the particular Department. For this the
successful bidder shall agree with the Non-Disclosure Agreement (NDA) as specified
in this RFP. The successful bidder will also conduct a conference with the respective
Departments/Corporations/Local Bodies in the Delhi Secretariat before the
commencement of the work to understand the website of concerned Department. One
visit to user department and meeting with representative of department is required to be
done by auditor for guiding departments to fix/remove the vulnerabilities identified
during the first audit by the Auditor.
1.13 Indemnity
The Auditor shall indemnify, and keep indemnified, the Government of N.C.T of Delhi
against all claims, demands, actions, costs, expenses, (including without limitation,
damages for any loss of business, business interruption, loss of business information or
other indirect loss), arising from or incurred by reason of any third party claims against
Department of Information Technology arising from the breach by the Auditor of any
or all of its obligations under the Contract with the Department of Information
Technology . The Auditor shall be liable to indemnify the Department of Information
Technology only if:
(i) The Department of Information Technology, Government of N.C.T of Delhi has
promptly provided Auditor intimation of such claim;
(ii) The Department of Information Technology, Government of N.C.T of Delhi has
not admitted to or accepted any of the claim;
(iii) The Department of Information Technology, Government of N.C.T of Delhi has
authorized the Auditor to defend or settle the claim;
-
Web Security Audit – Request for Proposal
Department of IT, GNCT Delhi Page 18 of 56
(iv) The Department of Information Technology, Government of N.C.T of Delhi has
provided such assistance and information to the Auditor as may be required by
the Auditor.
1.14 Responsibilities of the auditor
The Auditor shall ensure that:
1. The auditing is carried out strictly in accordance with the terms and conditions
stipulated in the audit assignment contract as well as general expectations of the
auditee from an auditor.
2. All applicable codes of conduct and auditing standards are adhered to with due
professional care.
3. The audit report is submitted to the Department of Information Technology,
Government of N.C.T of Delhi and one copy of the report should be submitted to
the concerned department.
1.15 Liability in Respect Of Damage
The Auditor shall make good or compensate for, all direct damage occurring to
website and web applications of the respective department and/or Department of
Information Technology, Government of N.C.T of Delhi in connection with this
Contract for carrying out audit.
Provided that this Clause shall not apply if the Auditor is able to show that any such
damage is caused or contributed to by the neglect or default of the respective
Department. The security auditor’s liability will be limited to the cost of service
provided. Default or neglect by the Auditor will include both malicious and non-
malicious errors and project mismanagement.
1.16 Quality Of Audit
The selected vendor will ensure that the audit assignments are carried out in
accordance with applicable guidelines and standards as mentioned in this document
and terms and conditions specified by the CERT-IN, Department of Information
Technology, Min. of Information Technology, Government of India.
1.17 Confidentiality and copyright
Information relating to the examination, clarification and comparison of the Proposals
shall not be disclosed to any bidder or any other persons. The undue use by any
bidder of confidential information related to the process may result in rejection of its
-
Web Security Audit – Request for Proposal
Department of IT, GNCT Delhi Page 19 of 56
Proposal. During the execution of the project except with the prior written consent of
the Department of Information Technology, Government of N.C.T of Delhi. The
Consultant and its personnel shall not at any time communicate to any person or
entity, any confidential information acquired in the course of the auditing. All
recipients of tender documents, whether they submit a tender or not, shall treat the
details of the documents as private and confidential. Copyright in the documents
prepared by the bidder is reserved to the Department of Information Technology,
Government of N.C.T of Delhi. The Auditor shall ensure that his employees,
servants, agents and sub-contractors keep confidential all information in whatever
form it is obtained, produced or derived from or related to the carrying out of its
obligations under this terms and conditions as well as the Contract with the
Department of Information Technology, Govt of N.C.T of Delhi.
1.18 Validity of Proposals
The bidder proposal shall remain valid for a period of 120 days beyond the closing date
of the tender.
1.19 Right to Accept/Reject Proposals
The Department of Information Technology, Government of N.C.T. of Delhi reserves
the right to accept or reject any Proposal(s) at any time prior to award of contract,
without thereby incurring any liability to the affected Respondent(s) or any obligation
to inform the affected bidder (s) of the grounds for such decision.
1. 20 Fraud and Corruption
The Consultants selected through this RFP must observe the highest standards of
ethics during the performance and execution of such contract. In pursuance of this
policy, Department of Information Technology, Government of N.C.T. of Delhi:
(a) Defines, that for such purposes, the terms set forth will be as follows:
(i) "Corrupt practice" means the offering, giving, receiving or soliciting of any
thing of value to influence the action of Department of Information Technology,
Government of N.C.T. of Delhi or any personnel of Consultant(s) in contract
executions.
(ii) "Fraudulent practice" means a mis-presentation of facts, in order to influence
a procurement process or the execution of a contract, to Department of
Information Technology, Government of N.C.T. of Delhi, and includes collusive
practice among bidders (prior to or after Proposal submission) designed to
establish Proposal prices at artificially high or non-competitive levels and to
-
Web Security Audit – Request for Proposal
Department of IT, GNCT Delhi Page 20 of 56
deprive DIT, Government of N.C.T. of Delhi of the benefits of free and open
competition;
(iii) “Unfair trade practices” means supply of services different from what is
ordered on, or change in the Scope of Work
(iv) ”Coercive practices” means harming or threatening to harm, directly or
indirectly, persons or their property to influence their participation in the
execution of contract.
(b) Shall reject a proposal for award, if it determines that the bidder recommended for
award, has been engaged in corrupt, fraudulent or unfair trade practices.
(c) Shall declare a Consultant ineligible, either indefinitely or for a stated period of time,
for awarding the contract, if it at any time determines that the Consultant has been engaged
in corrupt, fraudulent and unfair trade practice in competing for, or in executing, the
contract.
1.21 Clarifications and amendments of RFP Document
1.21.1 RFP Clarifications
During Pre Qualification and Technical Evaluation of the Proposals Department
of Information Technology, Government of N.C.T. of Delhi may, at its
discretion, ask bidders for clarifications on their proposal. The bidders are
required to respond within the prescribed time frame.
1.21.2 Amendments in RFP
At any time prior to deadline for submission of proposal, Department of
Information Technology, Government of N.C.T. of Delhi may for any reason,
modify the RFP. The prospective bidders having received the RFP shall be
notified of the amendments through website and/or newspapers and such
amendments shall be binding on them.
1.22. Force Majeure
If the performance as specified in this order is prevented, restricted, delayed or
interfered by reason of:
- Fire, explosion, cyclone, floods
- War, revolution, acts of public enemies, blockage or embargo
- Any law, order, proclamation, ordinance, demand or requirements of any
Government or authority or representative of any such Government including restrict
trade practices or regulations.
-
Web Security Audit – Request for Proposal
Department of IT, GNCT Delhi Page 21 of 56
- Strikes, shutdowns or labour disputes which are not instigated for the purpose of
avoiding obligations herein, or
- Any other circumstances beyond the control of the party affected then
notwithstanding anything here before contained, the party affected shall be excused
from its performance to the extent such performance relates to prevention, restriction,
delay or interference and provided the party so affected uses its best efforts to remove
such cause of non-performance and when removed the party shall continue
performance with utmost dispatch.
1.23. Arbitration
In the event of a dispute or difference or difference of any nature whatsoever between
the Audit firm/company and Department of Information Technology, Government of
N.C.T. of Delhi during the course of the assignment arising as a result of this order,
the matter shall be referred to Arbitration as per Arbitration & Reconciliation Act,
1996
1.24 Follow-Up and Compliance
The Audit firm/company is required to follow-up with the concerned offices of the
Department of Information Technology, Government of N.C.T. of Delhi and the
concerned Department for compliance. The Audit firm/company has to submit a
summary compliance report at end of each task and the final report should be
certify that the website/web applications (should be mentioned the name of the
website and/or web applications) is “Certified for Security “.
1.25 Exit Plan :
The Partner will promptly on the commencement of the exit management period supply
the following:
• Documentation relating to website audit Intellectual Property Rights ;
• Data and confidential information
• The terms of payment as stated in the Terms of Payment Schedule include the
costs of the Partner complying with its obligations under this Schedule.
• In the event of termination or expiry of MSA, Project Implementation, or
Operation and Management SLA, each Party shall comply with the Exit
Management Plan.
-
Web Security Audit – Request for Proposal
Department of IT, GNCT Delhi Page 22 of 56
• During the exit management period, the Partner shall use its best efforts
to deliver the services.
Section 2: Terms of Reference
2.1 Scope of the Work
Bidders would be expected to perform the following tasks for Website and the web-
application Security to analyze and review the website/application security .The
auditors will have to carry out an assessment of the vulnerabilities, threats and risks
that exist in website through Internet Vulnerability Assessment and Penetration
Testing. This will include identifying remedial solutions and recommendations for
implementation of the same to mitigate all identified risks, with the objective of
enhancing the security of the website. The bidder will also be expected to propose
a risk mitigation strategy as well as give specific recommendations to tackle the
residual risks emerging out of identified vulnerabilities assessment. The website
and Web-application should be audited as per the Industry Standards and also as per
the OWASP (Open Web Application Security Project) model. The auditor is
expected to submit the final audit report after the remedies/recommendations are
implemented. The final report will certify the particular website/web application
“Certified for Security “.All the Website security audit reports should contain the
details as mentioned at the Audit report of Section 2.2.
The scope of the proposed audit tasks is given below. The audit firm/company
will be required to prepare the checklist/reports
2.1.1 Task 1: Web Security Audit/ Assessment
Check various web attacks and web applications for web attacks. The various
checks/attacks /Vulnerabilities should cover the following or any type of attacks,
which are vulnerable to the website/Web-application.
� Vulnerabilities to SQL Injections
� CRLF injections
� Directory Traversal
� Authentication hacking/attacks
� Password strength on authentication pages
� Scan Java Script for security vulnerabilities
� File inclusion attacks
� Exploitable hacking vulnerable
� Web server information security
-
Web Security Audit – Request for Proposal
Department of IT, GNCT Delhi Page 23 of 56
� Cross site scripting
� PHP remote scripts vulnerability
� HTTP Injection
� Phishing a website
� Buffer Overflows , Invalid inputs , insecure storage etc .
� Other any attacks, which are vulnerability to the website and web-
applications
� The Top 10 Web application vulnerabilities, which are given below, should
also checked from the given websites:
A1 - Cross Site
Scripting (XSS)
XSS flaws occur whenever an application takes user supplied data
and sends it to a web browser without first validating or encoding
that content. XSS allows attackers to execute script in the victim's
browser which can hijack user sessions, deface web sites,
possibly introduce worms, etc.
A2 - Injection Flaws
Injection flaws, particularly SQL injection, are common in web
applications. Injection occurs when user-supplied data is sent to
an interpreter as part of a command or query. The attacker's
hostile data tricks the interpreter into executing unintended
commands or changing data.
A3 - Malicious File
Execution
Code vulnerable to remote file inclusion (RFI) allows attackers to
include hostile code and data, resulting in devastating attacks,
such as total server compromise. Malicious file execution attacks
affect PHP, XML and any framework, which accepts filenames or
files from users.
A4 - Insecure Direct
Object Reference
A direct object reference occurs when a developer exposes a
reference to an internal implementation object, such as a file,
directory, database record, or key, as a URL or form parameter.
Attackers can manipulate those references to access other objects
without authorization.
A5 - Cross Site Request
Forgery (CSRF)
A CSRF attack forces a logged-on victim’s browser to send a pre-
authenticated request to a vulnerable web application, which then
forces the victim’s browser to perform a hostile action to the
-
Web Security Audit – Request for Proposal
Department of IT, GNCT Delhi Page 24 of 56
benefit of the attacker. CSRF can be as powerful as the web
application that it attacks.
A6 - Information
Leakage and Improper
Error Handling
Applications can unintentionally leak information about their
configuration, internal workings, or violate privacy through a
variety of application problems. Attackers use this weakness to
steal sensitive data, or conduct more serious attacks.
A7 - Broken
Authentication and
Session Management
Account credentials and session tokens are often not properly
protected. Attackers compromise passwords, keys, or
authentication tokens to assume other users� ' identities.
A8 - Insecure
Cryptographic Storage
Web applications rarely use cryptographic functions properly to
protect data and credentials. Attackers use weakly protected data
to conduct identity theft and other crimes, such as credit card
fraud.
A9 - Insecure
Communications
Applications frequently fail to encrypt network traffic when it is
necessary to protect sensitive communications.
A10 - Failure to
Restrict URL Access
Frequently, an application only protects sensitive functionality by
preventing the display of links or URLs to unauthorized users.
Attackers can use this weakness to access and perform
unauthorized operations by accessing those URLs directly.
2.1.2 Task 2: Re-Audit based on the Recommendations Report from Task 1
The vendor will be responsible to provide a detailed recommendations report for the
vulnerabilities observed from Task 1.
2.1.3 Task 3: Re, Re-Audit, if required based on the Recommendations Report from Task 2
If vulnerabilities are observed form the re-audit, the vendor has to provide a
detailed recommendations report on the vulnerabilities observed or found from Re-
auidt/Task2. The Department of Information Technology, Government of N.C.T. of
Delhi is expected that all vulnerabilities will be removed at the Task 3 stage. The
Audit firm/company has to submit a summary compliance report at end of each task
and the final report should be certify that the website/web applications (should be
mentioned the name of the website and/or web applications) is “Certified for
Security “.
-
Web Security Audit – Request for Proposal
Department of IT, GNCT Delhi Page 25 of 56
2.2 Deliverables and Audit Reports
(a) The successful bidder will be required to submit the following documents after the
audit for each website, as mentioned below and the audit firm must also submit
suggestions / recommendations and other detailed steps for enhancing the website
security
(i) A detail report will be submitted with security status and discovered
vulnerablities , weknesses and mis-configurations with associated risk
levels and recommended actions for risk mitigations.
(ii) Summary and detailed reports on secruity risk, vulnerabilites and audit
with the necessary countermeasures and recommended corrective actions
as recommended above need to be submitted in duplicate to the
Department of Information Technology, Government of N.C.T. of Delhi .
Also the same copy should be submiited to the concerned departrment.
(iii)All deliverables shall be in English language and side A4 size format.
(iv) The vendor will be required to submit the deliverables as per agreed
implementation Plan
• The deliverables (like Summary compliance report, Check list, Audit Report,
Executive Summary and Final compliance report after all observations) for each
task to be submitted by the Auditors for this assignment as mentioned in
the Task1, Task2 and Taks3.
(b) Timeframe of the deliverables�
• The selected successful bidder will be required to start the project within 15 days
from the date of placing the order for the audit.
• The entire audit must be completed within 180 days from the placing of order.
• All the draft reports of the agreed deliverables should be submitted by the
firm/company within 15 days of the commencement of the audit.
• The successful bidder should submit the final reports of the deliverables within 20
days of the commencement of the audit or within 30 days of receiving feedback
from the concerned department on draft reports.
• The audit, as mentioned above, has to be completed in time. It is expected
that, if required, the successful bidder may deploy multiple teams to complete
the audit projects within given time frame.
(c ) Audit Report
The Website security audit report is a key audit output and must contain the
following:
-
Web Security Audit – Request for Proposal
Department of IT, GNCT Delhi Page 26 of 56
1. Identification of auditee (Address & contact information)
2. Dates and Location(s) of audit
3. Terms of reference (as agreed between the auditee and auditor), including the
standard for Audit, if any
4. Audit plan
5. Explicit reference to key auditee organisation documents (by date or version)
including policy and procedure documents
6. Additional mandatory or voluntary standards or regulations applicable to the
auditee
7. Standards followed
8. Summary of audit findings including identification tests, tools used and results
of tests performed (like vulnerability assessment, application security assessment
, password cracking and etc.)
a. Tools used
b. List of vulnerabilities identified.
c. Description of vulnerability
d. Risk rating or severity of vulnerability
e. Test cases used for assessing the vulnerabilities
f. Illustration if the test cases to provide the vulnerability
g. Applicable screen dumps
9. Analysis of vulnerabilities and issues of concern
10. Recommendations for action
11. Personnel involved in the audit, including identification of any trainees
The auditor may further provide any other required information as per the
approach adopted by them and which they feel is relevant to the audit process.
12. The successful bidder must also follows the guidelines of National
Informatics Center (NIC) for website security Audit and submit the Audit
report as per the format mentioned in guidelines. These guidelines are
available at Annexure-14.
2.3 Expectations Of Auditee Organization From The Auditor
Following are the expectations of auditee from the auditor:
1. Verification of possible vulnerable services will be done only with explicit
written permission from the auditee.
-
Web Security Audit – Request for Proposal
Department of IT, GNCT Delhi Page 27 of 56
2. The auditee will refrain from security testing of obviously highly insecure
and unstable systems, locations, and processes until the security has been
put in place.
3. With or without a Non-Disclosure Agreement Contract, the security
auditor will be ethically bound to confidentiality, non-disclosure of
customer information, and security testing results.
4. Auditor should have clarity in explaining the limits and dangers of the
security test.
5. In the case of remote testing, the origin of the testers by telephone
numbers and/or IP addresses will be made known.
6. Seeking specific permissions for tests involving survivability failures,
denial of service, process testing, or social engineering will be taken.
7. The scope should be clearly defined contractually before verifying
vulnerable services.
8. The scope should clearly explain the limits of the security test.
9. The test plan should include both calendar time and man-hours.
10. The test plan should include hours of testing.
11. The security auditors are required to know their tools, where the tools
came from, how the tools work, and have them tested in a restricted test
area before using the tools on the customer organization.
12. The exploitation of Denial of Service tests is done only with explicit
permission.
13. High risk vulnerabilities such as discovered breaches, vulnerabilities with
known, high exploitation rates, vulnerabilities which are exploitable for
full, unmonitored or untraceable access, or which may convey immediate
risk, discovered during testing are to be reported immediately to the
Department of Information Technology, Government of N.C.T. of Delhi
with a practical solution as soon as they are found.
14. The Auditor is required to notify the auditee whenever the auditor changes
the auditing plan, changes the source test venue, has high risk findings,
previous to running new, high risk or high traffic tests, and if any testing
problems have occurred. Additionally, the Department of Information
Technology, Government of N.C.T. of Delhi is to be notified with
progress updates at reasonable intervals.
-
Web Security Audit – Request for Proposal
Department of IT, GNCT Delhi Page 28 of 56
15. Reports should state clearly all states of security found and not only failed
security measures.
16. Reports will use only qualitative metrics for gauging risks based on
industry-accepted methods. These metrics are based on a mathematical
formula and not on feelings of the auditor.
17. The Auditor is required to notify the Department of Information
Technology, Government of N.C.T. of Delhi when the report is being sent
as to expect its arrival and to confirm receipt of delivery.
18. All communication channels for delivery of report are end to end
confidential.
-
Web Security Audit – Request for Proposal
Department of IT, GNCT Delhi Page 29 of 56
2.4 List of Websites: Following is the list of websites for which the bidder will be required to do the security audit.
List of Government, Autonomous and Local Bodies Departments: 76 Government Departments: 53
S.No. Website URL Department Name 1 http://www.ar.delhigovt.nic.in Administrative Reforms 2 http://www.artandculture.dehigovt.nic.in Art, Culture and Language 3 http://www.audit.delhigovt.nic.in Audit 4 http://tiharprisons.nic.in Central Jail 5 http://www.chitfund.delhigovt.nic.in Chit Fund 6 http://www.forest.delhigovt.nic.in Conservator of Forest 7 http://www.dce.ac.in/ Delhi College of Engineering 8 http://www.dfsdelhigovt.nic.in Delhi Fire Services 9 http://www.delhiassembly.nic.in Delhi Legislative Assembly
10 http://www.sec.delhigovt.nic.in Delhi State Election Commission 11 http://www.dsssb.delhigovt.nic.in Delhi Subordinate Services Selection
Board 12 http://www.dccentral.delhigovt.nic.in Deputy Commissioner (Central) 13 http://www.dceast.delhigovt.nic.in Deputy Commissioner (East) 14 http://dcnewdelhi.delhigovt.nic.in Deputy Commissioner (New Delhi) 15 http://www.dcnortheast.delhigovt.nic.in Deputy Commissioner (North East) 16 http://www.dcnorthwest.delhigovt.nic.in Deputy Commissioner (North West) 17 http://www.dcnorth.delhigovt.nic.in Deputy Commissioner (North) 18 http://www.dcsouthwest.delhigovt.nic.in Deputy Commissioner (South West) 19 http://www.dcsouth.delhigovt.nic.in Deputy Commissioner (South) 20 http://www.dcwest.delhigovt.nic.in Deputy Commissioner (West) 21 http://development.delhigovt.nic.in/ Development 22 http://agriculturalmarketing.delhigovt.nic.in/ Directorate of Agricultural Marketing
23 http://www.des.delhigovt.nic.in Directorate of Economics And Statistics
24 http://www.health.delhigovt.nic.in Directorate of Health Services (DHS) 25 http://www.districts.delhigovt.nic.in District Administration 26 http://www.ceodelhi.nic.in Election (Chief Electoral Office) 27 http://www.environment.delhigovt.nic.in Environment 28 http://www.excise.delhigovt.nic.in Excise 29 http://www.gbpant.org G. B. Pant Hospital 30 http://www.higheredn.delhigovt.nic.in Higher Education
-
Web Security Audit – Request for Proposal
Department of IT, GNCT Delhi Page 30 of 56
31 http://www.delhihomeguards.nic.in Home Guard & Civil Defence 32 http://www.industries.delhigovt.nic.in Industries 33 http://www.publicity.delhigovt.nic.in Information and Publicity 34 http://www.ifc.delhigovt.nic.in Irrigation and Flood Control(I&FC) 35 http://www.land.delhigovt.nic.in Land and Building 36 http://www.law.delhigovt.nic.in Law and Justice and Legislative
Affairs 37 http://www.mamc.ac.in/ Maulana Azad Medical College 38 http://www.delhiplanning.nic.in Planning 39 http://www.pfa.delhigovt.nic.in Prevention of Food Adultration (PFA) 40 http://www.coa.delhigovt.nic.in Principal Accounts Office 41 http://www.pgc.delhigovt.nic.in Public Grievances Commission 42 http://www.pwd.delhigovt.nic.in Public Works Department (PWD) 43 http://www.rcs.delhigovt.nic.in Registrar Cooperative Society 44 http://services.delhigovt.nic.in Services 45 http://www.socialwelfare.delhigovt.nic.in Social Welfare / Rehabilitation
Services
46 http://www.delhigovt.nic.in/dept/Tourism/default.htm
Tourism
47 http://www.tte.delhigovt.nic.in Training & Technical Education 48 http://www.transport.delhigovt.nic.in Transport 49 http://www.utcs.delhigovt.nic.in Union Territory Civil Services
(UTCS) 50 http:http://delhigovt.nic.in/dept/ud/index.asp
//www.delhigovt.nic.in/dept/UD/welcome.htm
Urban Development
51 http://www.delhigovt.nic.in/dept/vigilance/welcome.htm
Vigilance
52 http://www.weights.delhigovt.nic.in Weights & Measures 53 http://www.scstwelfare.delhigovt.nic.in Welfare of SC/ST
-
Web Security Audit – Request for Proposal
Department of IT, GNCT Delhi Page 31 of 56
Local Bodies: 01 S.No. Website URL Department Name
1 http://www.ndmc.gov.in New Delhi Municipal Corporation(NDMC)
Autonomous Departments: 22
S.No. Website URL Department Name 1 http://www.delhihomeoboard.com Board of Homeopathic System
of Medicine 2 http://www.delagrimarket.org Delhi Agriculture Mkt. Board 3 http://www.dcw.delhigovt.nic.in Delhi Commission for Women 4 www.dchfcdelhi.com Delhi co-op. Housing Societies
Finance Co. Ltd. 5 http://www.dfcdelhi.nic.in Delhi Financial
Corporation(DFC) 6 http://www.delhijalboard.nic.in Delhi Jal Board(DJB) 7 http://www.dkvib.delhigovt.nic.in Delhi Khadi Village Industries
Board(DKVIB) 8 http://www.dlwb.delhigovt.nic.in Delhi Labour Welfare Board 9 http://www.dmc.delhigovt.nic.in/ Delhi Minority Commission
10 http://www.pharmacy.delhigovt.nic.in Delhi Pharmay Council 11 http://www.dscsc.delhigovt.nic.in Delhi State Civil Supplies
corporation limited (DSCSC) 12 http://www.delhitrafficpolice.nic.in Delhi Traffic Police 13 http://dtc.nic.in Delhi Transport
Corporation(DTC) 14 http://www.delhicourts.nic.in District & Session Judge Office 15 http://www.ipu.ac.in Guru Gobind Singh Indraprastha
University 16 http://www.ihbas.delhigovt.nic.in IHBAS 17 http://www.ipgcl-ppcl.com Indraprastha Power Generation
Co.Ltd 18 http://ilbs.delhigovt.nic.in Institute of Liver and Biliary
Sciences 19 http://www.delhidemo.nic.in/lokayukta/home.asp Lokayukta
20 http://www.mgiirepd.org.in Mahatma Gandhi Institute of Integrated Rural Energy Planning and Development
21 http://www.nsit.ac.in Netaji Subhash Institute of Tech. 22 http://www.cbsdu.net Shaheed Sukhdev College of
Business Studies
-
Web Security Audit – Request for Proposal
Department of IT, GNCT Delhi Page 32 of 56
3.1 Annexure-1: Notice of Intent to Bid
Letter Dated Date/Month/Year
The Secretary, Information Technology
Government of NCT of Delhi
Dear Sir,
RE: : Notice of Intent to Submit the Proposal
This is to notify you that our firm/company intends to submit a proposal in response to RFP
No……………………. Primary and Secondary contacts for our firm/company are :
Primary Contact Primary Contact
Name :
Title :
Company Name :
Address :
Phone :
Fax :
E-mail :
Sincerely,
[BIDDER’S NAME]
Title
Signature
Date
-
Web Security Audit – Request for Proposal
Department of IT, GNCT Delhi Page 33 of 56
3.2 Annexure-2: Proposal covering letter
Letter Dated Date/Month/Year
The Secretary, Information Technology
Government of NCT of Delhi
Dear Sir,
Re: website and web application security audit for the Delhi Government departments,
Corporations and Local bodies.
In response to the RFP for “website and web application security audit for the Delhi
Government Departments, Corporations and Local bodies” issued by the Secretary,
Information Technology, the Government of NCT of Delhi, we herewith submit out
proposal. The following documents have been included as part of the proposal:
S.No Enclosed documents
1 Pre-qualification bid (sealed and marked)
2 Technical bid (sealed and marked)
3 Commercial bid (sealed and marked)
4 EMD amount in the form of DD as mentioned in section 1.3.1 of this
RFP.
5 Additional information if any
1. Having examined the tender Documents and Appendices thereto and Addenda
Numbers …………. Thereto we, the undersigned, offer to provide the said services, in
conformity with the said Contract, Terms of Reference and Appendices thereto and
Addenda for the sum indicated as per the attached Financial Proposal.
2. We acknowledge having received the following Addenda to the bid documents:
Addendum No. Date
-
Web Security Audit – Request for Proposal
Department of IT, GNCT Delhi Page 34 of 56
3. We undertake if our proposal is accepted to provide the services comprised in the
contract within 15 days of the receipt of notification of award from the Information
Technology Department, Government of NCT of Delhi
4. If our proposal is accepted we will obtain, within 15 days of receipt of notification of
award, the guarantee of a scheduled commercial bank to be jointly and severally bound
with us in a form of Performance Guarantee.
5. We agree to execute the work in the form set out in the tender Documents with such
alterations or additions thereto as may be necessary to adapt such agreement to the
circumstances of this tender and notice of award within 105 days after notification of
your intention to accept this proposal
6. Unless and until a formal agreement is prepared and executed this proposal together
with your written acceptance thereof shall constitute a binding contract between us and
shall be deemed for all purposes to be the contract agreement.
7. We understand that you are not bound to accept the lowest or any bid you may receive,
nor to give any reason for the rejection of any bid and that you will not defray any
expenses incurred by us in bidding.
8. We would like to clearly state that we qualify for this work as our company meets all
the pre-qualification criteria indicated on your tender document. The details are as
under.
Dated this …………………………. day of
…………………………………...……….
Signature …………………………………………………………………………………
In the capacity of ……………………………………………………………..………….
Duly authorised to sign bids for and on behalf of
……………………………………………………………………………………………
(IN BLOCK CAPITALS)
Address:
Witness:
-
Web Security Audit – Request for Proposal
Department of IT, GNCT Delhi Page 35 of 56
Address:
Occupation:
Sincerely yours
(Signature) (In the capacity of)
Duly authorized to sign the Tender Response for an on behalf of :
(Name and address of Company) Seal/Stamp of bidder
Witness Signature :
Witness Name :
Witness Address :
CERTIFICATE AS TO AUTHORIZED SIGNATORIES
I, certify that I am Secretary of the …………………., and that
……………………………………………. Who signed the above Bid is authorized to bind
the corporation by authority of its governing body.
(Secretary)
Date
(Seal here)
-
Web Security Audit – Request for Proposal
Department of IT, GNCT Delhi Page 36 of 56
3.3 Annexure-3: Pre-qualification bid covering letter
Letter Dated Date/Month/Year
The Secretary, e-Governance
Government of NCT of Delhi
Dear Sir,
Re : Submission of Pre-Qualification Bid for website and web application security audit for
the Delhi Government departments, Corporations and Local bodies .
Having examined the tender document, the receipt of which is hereby duly acknowledged,
we, the undersigned, offer to website and web application security audit for the Delhi
Government Departments, Corporations and Local bodies as required and outlined in the
RFP for Government of NCT of Delhi.
The details sought by the Government to evaluate the bidder’s technical skill base and
financial capacity for website and web application security audit for the Delhi Government
departments, Corporations and Local bodies are provided in the pre-qualification bid. As it
is required, the list of details specified in the table below is given in the formats specified in
the RFP :
S.No Enclosed details Pg.No
1 General information about the Bidder/Consortium
2 Information about the company
3 Financial details as per audited balance sheet
The details specified in the formats are substantiated with support documents as required.
Sincerely yours
-
Web Security Audit – Request for Proposal
Department of IT, GNCT Delhi Page 37 of 56
(Signature) (In the capacity of)
Duly authorized to sign the Tender Response for and on behalf of :
(Name and Address of Company) Seal/Stamp of bidder
Witness Signature : Witness Name :
Witness Address :
CERTIFICATE AS TO AUTHORISED SIGNATORIES
I, certify that I am Secretary of the ……………….., and that …………………………..
who signed the above Bid is authorized to bind the corporation by authority of its
governing body.
(Secretary)
Date
(Seal here)
-
Web Security Audit – Request for Proposal
Department of IT, GNCT Delhi Page 38 of 56
3.4 Annexure-4: Pre-qualification Formats
I General Information
S.No Particulars Details to be Furnished
A Details of the Prime Bidder (Company)
Name
Address
Telephone/Mobile Fax
E-mail Website
Details of Authorized person
Name
Address
Telephone/Mobile Email
II Information about the Company
i) Does The firm/company have a company registered
under the Indian Companies Act, 1956, The Partnership
Act, 1932 and the Registration of Societies Act?
Give Page no. Where proof is given
ii) Does the firm/company should have been in operation for a
period of at least 3 years as of 31.3.2007?
Give Page no. Where proof is given.
iii) Does the firm/company have provided attested copies
of the valid?
a. Provident Fund No
b. PAN No.
c. Service Tax Registration No.
d. Income Tax Registration No.
Give Page no. Where proof is given
iv) Does the Firm/Company have Empanelment as a IT
Security Auditor by CERT-IN (Valid Upto 31st March
2008)?
Give Page no. Where proof is given
v) Does the Firm/Company have SEI CMM Level 5
Certification?
Give Page no. Where proof is given
-
Web Security Audit – Request for Proposal
Department of IT, GNCT Delhi Page 39 of 56
vi) Does the Firm/Company have a branch in the National
Capital Region
Give Page no. Where proof is given
vii) Does the Firm/Company have an experience of
conducting similar Website Audit as proposed by
Department of Information Technology, Government of
N.C.T. of Delhi of a minimum of 3 audit projects in
organizations like banks, financial institution, and
Insurance Companies or Government departments during
the last 3 years?
Give Page no. Where proof is given
viii) Does the Firm/Company have at least one
Commercial Security Audit Tool?
Give Page no. Where proof is given
III Financial Details as per Audited Balance Sheet
Year Turnover in Rs.
2004-05
2005-06
i) Does the firm/company have an average turnover of
25,00,000/- (Twenty-five Lakhs) during the last 3
financial years in Information Technology related Projects
as revealed by audited accounts? (Proof of this need to be
attached)
2006-07
Total Turnover ( the last three years in Information Technology related
operations): Give Page no. where proof is given
IV) Manpower for deploying to this project
i)Do you have a Project Manager, (To be deployed on the
project, if awarded) who have fulltime B.Tech/B.E in
Computer Engineering /Information Technology and at
least ten years experience in the Information Technology
field, out of which he /she should have at least 5 years
experience in handling the Information Security Audit .
The project manager for deploying to this project must
have a CISA certified person.
Give Page no. Where proof is given.
-
Web Security Audit – Request for Proposal
Department of IT, GNCT Delhi Page 40 of 56
ii) Do you have 5 personnel, (To be deployed on the
project, if awarded) who have a fulltime B.Tech/B.E in
Computer Engineering /Information Technology and at
least 5 years experience in the Information Technology
field, out of which he /she should have at least two years
experience in handling the Information Security Audit.
Preference will be given to the CISA/CIISP persons.
Give Page no. where proof is given.
Please note that provide details of the personnel, who intended be deployed to this project in the
Format as given at Annexure 10 & Annexure 13 of this RFP.
3.5 Annexure-5 Technical Bid
Letter Dated Date/Month/Year
The Secretary, Information Technology
Government of Delhi
Dear Sir,
Sub:- Technical bid proposal for website and web application security audit for the
Delhi Government departments, Corporations and Local bodies .
Having examined the tender document, the receipt of which is hereby duly acknowledged,
we, the undersigned, offer for website and web application security audit for the Delhi
Government departments, Corporations and Local bodies as required and outlined in the
RFP for Government of N.C.T of Delhi.
To meet such requirements and provide such services as required are set out in the tender
document, we attach hereto the tender technical response as required by the tender
document, which constitutes our proposal. Our abilities to the website and web application
security audit for the Delhi Government departments, Corporations and Local bodies as
required by the Government are explained in the technical response. The response sought
by the Government is given within the formats prescribed by the Government. Kindly refer
to the enclosures for details on the formats enclosed. Additionally, we have included the
following supplementary information to support our proposal:
-
Web Security Audit – Request for Proposal
Department of IT, GNCT Delhi Page 41 of 56
i. Supplementary information title one
ii. Supplementary information title two
If our proposal is accepted, we will obtain a performance bank guarantee in the format
given in the tender document issued by a Scheduled Commercial Bank in India,
acceptable to the Government of Delhi, for a sum of 10% of value of contract for due
performance of the contract.
We agree for unconditional acceptance of all the terms and conditions set out in the tender
document and also agree to abide by this tender response for a period of SIX (plus ONE)
MONTHS from the date fixed for tender opening and it shall remain binding upon us with
full force and virtue, until within this period a formal contract is prepared and executed,
this tender response, together with your written acceptance thereof in your notification of
award, shall constitute a binding contract between us and the Government of NCT of Delhi.
We have read and understood the criteria spelt out for evaluating the technical bids as
mentioned in this RFP. If the committee invites us to make a presentation in a date, time
and location determined by Secretary (Information Technology), we will be glad to be
there and present the solution proposed by us and the key points of our proposal.
During technical bid evaluation, if you find some parts of the proposal ambiguous and
uncertain, you may seek oral clarifications. The clarifications shall be addressed to the
primary contact person Dr.V. Ranga Rao who is reachable in the following address:
Address and telephone information:
Department of Information Technology,
Government of NCT of Delhi,
Level – 9, B - Wing, Delhi Secretariat,
I.P. Estate, New Delhi-110 002.
Phone: 011-23392074 Email: [email protected]
We confirm that the information contained in this proposal or any part thereof, including its
exhibits, schedules, and other documents and instruments delivered or to be delivered to
the Government of N.C.T of Delhi is true, accurate, and complete. This proposal includes
all information necessary to ensure that the statements therein do not in whole or in part
mislead the Government of N.C.T of Delhi as to any material fact.
-
Web Security Audit – Request for Proposal
Department of IT, GNCT Delhi Page 42 of 56
We agree that you are not bound to accept the lowest or any tender response you may
receive. We also agree that you reserve the right in absolute sense to reject all or any if the
products/service specified in the tender response without assigning any reason whatsoever.
It is hereby confirmed that I/We are entitled to act on behalf of our
corporation/company/firm/organization and empowered to sign this document as well as
such other documents, which may be required in this connection.
Dated this Day of 2007
(Signature) (In the capacity of )
Duly authorized to sign the Tender Response for and on behalf of :
(Name and Address of Company) Seal/Stamp of bidder
Witness Signature :
Witness Name :
Witness Address :
-
Web Security Audit – Request for Proposal
Department of IT, GNCT Delhi Page 43 of 56
CERTIFICATE AS TO AUTHORISED SIGNATOTIES
I, certify that I am Secretary of the ……………………..., and that ………………………
who signed the above Bid is authorized to bind the corporation by authority of its
governing body.
(Secretary) Date
(Seal here)
-
Web Security Audit – Request for Proposal
Department of IT, GNCT Delhi Page 44 of 56
3.6 Annexure 6 Technical Bid Format:
TECHNICAL VALUATION FORMAT
1)Describe Experience in working with Government
Departments and Public Sector for similar Projects. (As per
Annexure 8)
2) Describe Quality Management Standards/Certifications
3) Describe Experience in conducting similar website and web
application Security Audit. . (As per Annexure 8)
4) Describe Level of understanding of the Project
5) Provide Vendor’s Proposed Technical solution: Type of
Security assessment toll will be used for identifying Security
Vulnerabilities tolls (Licensed /Free) and Technologies.
6) Describe Project implementation Methodology giving
approach of vendor along with rollout plan, Project
Management and Reporting.
7) Describe Level of skills and experience
8) List Number of CISA / CISSP and other personnel to be
deployed on this project.
a) No of CISAs :-
b) No of CISSPs:-
c) Others:-
9) Number of Personnel in various categories proposed to be
deployed on this project. Provide complete details like their
Job / Experience / qualifications profile of the Project Manager
and other key Personnel to be involved in the project (As per
Annexure 10 and Annexure 13) including relevance of
Experience of the Individual to the Website & Web Application
Security.
10) Sample Reports, Fulfilment of Audit Requirements as per
this RFP Scope of Work - The extent to which Bidder’s
proposed solution fulfils Department of Information
Technology stated requirements as set out in this tender. An
assessment of the Bidder’s ability to deliver the indicated
-
Web Security Audit – Request for Proposal
Department of IT, GNCT Delhi Page 45 of 56
service in accordance with the specifications set out in this
tender
3.7 Annexure 7: FINANCIAL PROPOSAL FORMAT
Cost Summary Sheet:
Sr.No Carrying out Security Audit Cost in Rupees
1
Task 1: Web Security Audit/
Assessment.
Rs.
2 Task 2: Re-Audit –Audit of websites
and applications based on the Task1.
Rs.
3
Task 3: Re, re Audit - Further
Iteration of Re-Audit (if required)
based on the Task 2.
Rs.
4 Sub total Cost of Sr.No 1, Sr.No2 &
Sr.No3:
Rs.
*Cost on account of Taxes:
5a) VAT (If applicable) Rs.
5b) Service Tax ( If applicable) Rs.
5
5c) Any other Taxes (If applicable) Rs.
6 Sub total Cost of 5(a), 5(b) and 5(c) Rs.
7 **Grand Total Cost:
( Sr. No 4 and Sr. No 6)
Rs.
Note:
• *Please show the calculation of taxes along with applicable rate of taxes.
• **Grant total cost of the project arrived by the above formula will be
considered for financial bid evaluation.
• Definition and Scope of each of element of above is detailed in Section 2 Scope of Work.
Company’s Official Seal
Signature: ___________________________ Date: _______________
Full Name of Signatory: ___________________________
Duly authorized to sign bids for and on behalf of: _____________________________
-
Web Security Audit – Request for Proposal
Department of IT, GNCT Delhi Page 46 of 56
3.8 Annexure 8: PROJECT EXPERIENCE
COMPANY'S SPECIFIC EXEPERIENCE DURING LAST THREE YEARS IN
THE FIELD OF IT SECURITY:
The following information should be provided in the format indicated for each reference
project for which your company either individually as a corporate entity or as one of the
major companies within a consortium has carried out and/or similar work in the field of
Information Technology Security Audit.
Project Name: Country:
Project Location within Country: Professional Staff Provided by your Company/Associates No. of Staff
Name of Client, Public/Private Sector Contact Person, Contact Details, Address:
No. of Man-month:
Start Date (month/year)
Completion Date: (Month/year)
Approx. Value of Services:
Name of Associated company(s) if any:
No. of Man-months of professional staff provided by associated companys(s)
Name of Senior Staff (Project Director/Coordinator, Team Leader) involved and functions performed:
Detailed Narrative Description of Project, nature of work, and services provided by your company:-
-
Web Security Audit – Request for Proposal
Department of IT, GNCT Delhi Page 47 of 56
3.9 Annexure 9 – UNDERTAKING FORMAT
1. It is certified that the information furnished here in and as per the document
submitted is true and correct and nothing has been concealed or tampered with. We
have gone through all the conditions of tender and are liable to any punitive action for
furnishing false information / documents.
2. The technical solution offered fully meets your requirements and have no
deviations and variations to the scope of work defined in this RFP. The entire work
shall be performed as per Department of Information Technology, Government of
N.C.T. of Delhi, specifications and documents.
Dated this _____ day of ____________________ 2007
Signature
(Company Seal)
__________________
In the capacity of
Duly authorized to sign Applications for and on behalf of:
-
Web Security Audit – Request for Proposal
Department of IT, GNCT Delhi Page 48 of 56
3.10 Annexure 10: FORMAT OF CURRICULUM VITAE
• Name of Company:
• Name of Staff:
• Job Designation:
• Role in this project
• Total years of experience:
• Years with Company:
• Nationality:
• Membership in Professional Societies:
• Key Qualifications:
(Give an outline of staff member’s experience and training most pertinent to tasks on
assignment. Describe degree of responsibility held by staff member on relevant
previous assignments and giv