--------------------------------------------------------------------------------------------------------------------------- --1--

Telangana State Technology Services Ltd

BRKR Bhavan, C-Block, Tankbund Road, Hyderabad – Telangana - 500063, Phone: (40) 2322 4935, 23221760; Fax: 23228057

Website: http://www.tsts.telangana.gov.in/

TSTS/CS/CTD-ITSECURITY/2017, Dated 05.06.2017

To

The CeRT-IN Empanelled IT Security Audit Agencies

SHORT Limited Tender Notice

Sub: TSTS –CS- Identification of IT Security Consultant/Agency to undertake Functional & Security

Audit Test of IT & Network Infrastructure for Commercial Tax Dept., Govt. of Telangana– Reg.

On behalf of the Commissioner –Commercial Tax Department TSTSL invites techno-commercial quotes for IT

Security Consultant to undertake Functional & Security Audit from CERT-In empanelled agencies to ensure

functionality, security and scalability of the existing Software, Hardware and Network Infrastructure for GST Roll out and submit the “as-is” and “to-be” report as per the details given in Annexure to this document.

Bid Document Fee : Rs. 10,000/- (DD shall be drawn in favour of The Managing Director, TSTS, Hyderabad)

EMD:Rs. 2,00,000/- (In the form of DD/BG in favour of The Managing Director, TSTS, Hyderabad with validity of 3 months)

Time Schedule : Date of Issuance of Tender call : 05/06/2017 Pre Bid meeting : 12/06/2017 @11:30 AM in TSTS Conference hall, 4th Floor, BRKR Bhavan, Hyderabad Last date and time for Bid submission : 20/06/2017 03:00 PM

Opening of Bids : 20/06/2017 03:30 PM

For any further details related to tender, please contact Ms. Vimala- DCTO (CT Dept)-7702100883 Mr. Sridharachary M, SSE-TSTS, 9963029421,

Email: mngdirector-tsts@telangana.gov.in; rpushpa-tsts@telangana.gov.in; sridarachary-tsts@telangana.gov.in, tg_dctocomp@tgct.gov.in

1 Bidders are advised to study the document carefully. Bids should be submitted online on e-

Procurement Website only. The Original EMD & Bid document fees to be submitted to TSTS on bid

closing date.

Note: This tender call is issued on e-procurement market place at www.eprocurement.gov.in. All the

terms and conditions are to be read jointly as mentioned in the e-procurement market website and

in this document.

2 Any deviations in format may make the quotation liable for rejection

3 Quotation/Bid should be valid at least for a period of 60 days from the date of bid opening

4 The Commissioner CT Dept/ The Managing Director, TSTSL reserves the right to accept or reject any

or all the quotations without assigning any reasons thereof and to add, modify or delete any of the

terms and conditions without any notice.

5 Conditional bids not acceptable and liable for rejection

6 EMD: The vendor should submit EMD of Rs. 2,00,000/- for each participating item in the form of

Demand Draft from any Nationalised/Scheduled bank in favour of The Managing Director, TSTS,

Hyderabad with validity of 90 days from Bid closing date. The scanned copy of EMD should be

uploaded on e-procurement website in technical bid. The original EMD should be submitted before

--------------------------------------------------------------------------------------------------------------------------- --2--

opening of the Technical Bid.

EMD will be returned to unsuccessful bidders. The EMD of the successful bidder will be returned

after submission of PBG.

7 General Eligibility :

A. Only those Organizations/firms that are currently empanelled with the CERT-in are eligible for

submitting the bid.

B. Bidder must possess and submit a valid Permanent Account Number (PAN) and Service Tax

Registration Certificate.

C. The Bidder should be willing to setup a Local Office in Hyderabad. Details of the service center

should be submitted for those having local presence. If no local office is available, an

undertaking in this regard should be submitted on the company letter head stating that the

Local office shall be opened within 15 days from date of issue of LoI.

D. Any firm/organization debarred by a Govt./Semi Govt. Deptt./Autonomous body shall not be

considered for this tender and the bid will be rejected straightway. The bidder should submit

declaration stating that they are not debarred/ blacklisted in bid.

E. The bidder should have at least 30 IT Professionals in field of Software Application Development,

testing & maintenance, Security Audit as on bid calling date on bidder payrolls. An undertaking

in this regard should be submitted by the bidder in the bid.

F. The price bids of those firms will be opened who fulfil the terms and conditions of this bid.

8 Bidding Procedure:

Bids should be submitted in two parts namely, “Technical bid” and “Financial bid through sealed

cover. The bidder should submit all the required formats and documents as mentioned in the tender

document.

Technical Bid: DOCUMENTS REQUIRED TO BE SUBMITTED WITH THE TECHNICAL BID:

1. Bid Letter Form-- Copy of this tender document duly signed with seal of the

firm/organization, in token of acceptance of terms and conditions

2. EMD scanned copy

3. General Information of Bidder along with Address & Contact Person Details - All the firms

participating in the Tender must submit a list of their owners/partners etc. along with their

contact numbers/ email ids.

4. Service Tax/VAT Registration Certificate along with Service Tax/Tin Number.

5. Representative Authorization Letter

6. Valid CeRT-IN Empanelment as on date of bidding. (Copy to be submitted)

7. Past Projects executed in area of IT infrastructure/Application/ Network Security Audit in

last 3 FYs. Copies of Work Orders along with Satisfactory Performance reports to be

submitted.

8. Firm Turnover: Audited balance sheets / CA certificate for last three years

9. Local Office details

10. Declaration regarding not black listed - Certificate to the effect that the firm is neither

blacklisted/debarred by any Govt. Department/Autonomous Body/PSU anywhere in India.

11. Technical Document describing

a. Understanding of Project

b. Implementation Approach,

--------------------------------------------------------------------------------------------------------------------------- --3--

c. Team Deployment plan along with team CVs and Skills

d. Audit Completion plan

12. Bid Document Fee DD

13. Any other documents, if any

All Other supporting documents as required in the tender shall be attached.

Financial Bid: The Financial bids of the TQ qualified bidders only shall be opened on eProcurement

portal and Evaluation shall be undertaken by the Committee. The price bids of only those firms will be

opened who fulfill the terms and conditions of this document. L1 will be identified on the basis of Total

Amount of the technically qualified bidders.

9 Project Duration: Till completion of the Audit and submission of reports.

Payment Terms: Payments shall be released against successful completion of milestones against the

indicated ‘8’ areas of Functional & Security Audit and submission of reports on each and acceptance,

fixing of vulnerabilities & certification of the deliverables by the CT Dept. Any SLAs / penalties shall be

deducted before release of payments to agency.

10 Rectification of Errors: Bidders are advised to exercise utmost care in entering the pricing figures. No

requests regarding correction of mistakes in the financial bids will be entertained after the bids are

submitted. If any interlineations, erasures, alterations, fluid marking, additions or overwriting are

found, the bid shall be rejected summarily. Arithmetical errors in bids will be considered as follows :

a) Where there is a discrepancy between the amount in figures and in words, the amount in words

shall govern.

b) Notwithstanding the above, the decision of the Evaluation Committee shall be final and binding.

11 The Tender Evaluation Committee reserves the right to relax any terms and condition in the Govt.

interest, with the approval of competent authority.

12

Overall Bid Evaluation:

I. The Bid evaluation shall be undertaken by the Evaluation Committee comprising of officials from

User Department, ITE&C Dept. and TSTS.

II. A two-stage procedure will be adopted for evaluation of proposals, with the technical Stage and

thereafter financial proposals being opened and compared.

III. The Committee will evaluate the bids of the bidders to determine whether the bids are

substantially responsive as per the qualifying terms. Bids that are not substantially responsive are

liable to be disqualified. The Bidders shall be asked to give technical presentation by the

Committee on the approach methodology to implement the project as per scope of work.

IV. The evaluation Committee will assess the bidders on the technical documentation submitted. The

commercial bids for the technically qualified bidders will then be opened and reviewed to

determine whether the commercial bids are substantially responsive.

V. The evaluation will be made on Least Cost basis( L1) bidder.

VI. Conditional bids are liable to be rejected. Any attempt by a bidder to influence it’s the bid

evaluation process may result in the rejection of the bidder's bid.

Award of Contract: The proposals will be ranked in terms of the low to high quotes received. The bidder

with the Least Cost may be considered for award of contract by the Committee. The successful bidder

shall enter into Contract Agreement with the O/o Commissioner- Commercial Tax Dept, Govt. of Telangana

upon submission of PBG of 10% of the Project value.

13 General Terms & Conditions:

A. Term and Extension of Contract

The term of this Contract shall be initially for a period of 6 months initially and shall be extended by

--------------------------------------------------------------------------------------------------------------------------- --4--

Dept based on the performance.

The department/ TSTS shall reserve the sole right to grant any extension to the term mentioned above

on mutual agreement including on terms and conditions.

B. Suspension of Work

The Service Provider shall, if ordered in writing by User Department/TSTS representative, temporarily

suspend the works or any part thereof for such a period and such a time as ordered. The Service

Provider shall not be entitled to claim compensation for any loss or damage sustained by him by reason

of temporary suspension of the Works as aforesaid. An extension of time for completion corresponding

with the delay caused by any such suspension of the works as aforesaid shall be granted to the

consulting agency, if request for same is made and that the suspension was not consequent to any

default or failure on the part of the Consulting agency. In case the suspension of works is not

consequent to any default or failure on the part of the Service Provider and lasts for a period of more

than 3 months, the Service Provider shall have the option to request the TSTS/User Department to

terminate the Contract with mutual consent.

C. Force Majeure:

The Service Provider shall not be liable for forfeiture of its performance security, liquidated damages,

or termination for default if and to the extent that its delay in performance or other failure to perform

its obligations under the Contract is the result of an event of Force Majeure.

For purposes of this clause, “Force Majeure” means an event beyond the control of the Bidder/bidder

and not involving the Supplier’s fault or negligence and not foreseeable. Such events may include, but

are not restricted to, acts of the State Government in its sovereign capacity, wars or revolutions, fires,

floods, epidemics, quarantine restrictions and freight embargoes.

If a Force Majeure situation arises, the Bidder/bidder shall promptly notify the TSTS in writing of such

condition and the cause thereof. Unless otherwise directed by the TSTS / User Department. in writing,

the Bidder/bidder shall continue to perform its obligations under the Contract as far as is reasonably

practical, and shall seek all reasonable alternative means for performance not prevented by the Force

Majeure event.

D. Terminate the Contract

Retain such amounts from the payment due and payable by TSTS/User Department to the Service

Provider as may be required to offset any losses caused to Dept as a result of such event of default and

the Service Provider shall compensate Dept for any such loss, damages or other costs, incurred by Dept

in this regard. Nothing herein shall effect the continued obligation of the Service Provider / other

members of its Team to perform all their obligations and responsibilities under this Contract in an

identical manner as were being performed before the occurrence of the default.

Invoke the Performance Bank Guarantee and other Guarantees furnished hereunder, enforce the Deed

of Indemnity, recover such other costs/losses and other amounts from the Service Provider may have

resulted from such default and pursue such other rights and/or remedies that may be available to Dept

under law.

E. Termination

Dept., may terminate this contract in whole or in part by giving the Service Provider prior and written

notice indicating its intention to terminate the Contract under the following circumstances:

Where it comes to Dept. attention that the Service Provider (or the Consulting agency’s Team) is in a

position of actual conflict of interest with the interests of Dept. in relation to any of terms of the

Consulting agency’s bid, the tender or this Contract.

--------------------------------------------------------------------------------------------------------------------------- --5--

Where the Service Provider ability to survive as an independent corporate entity is threatened or is lost

owing to any reason whatsoever including inter alia the filing of any bankruptcy proceedings against

the Consulting agency, any failure by the Service Provider to pay any of its dues to its creditors, the

institution of any winding up proceedings against the Service Provider or the happening of any such

events that are adverse to the commercial viability of the Consulting agency. In the event of the

happening of any events of the above nature, Dept. shall reserve the right to take any steps as are

necessary to ensure the effective transition of the project to a successor Consulting agency, and to

ensure business continuity.

F. Termination for Default:

Dept. may at any time terminate the Contract by giving 30 days written notice to the Service Provider

without compensation to the Service Provider in the event of default on the part of the Service Provider

which may include failure on the part of the Service Provider to respect any of its commitments with

regard to any part of its obligations under its bid, the tender or under this contract.

G. Termination for Insolvency

The Dept.,/TSTS may at any time terminate the contract by giving 30 days written notice to the

Bidder/bidder if the Bidder/bidder becomes bankrupt or otherwise insolvent. In this event, termination

will be without compensation to the Bidder/bidder, provided that such termination will not prejudice

or affect any right of action or remedy which has accrued or will accrue thereafter to the Dept., /TSTS.

H. Termination for Convenience:

The TSTS/User Department, may at any time by giving 30 days written notice to the Bidder/bidder,

terminate the Contract, in whole or in part, for its convenience. The notice of termination shall specify

that termination is for the TSTS/User Department/, the extent to which performance of the

Bidder/bidder under the Contract is terminated, and the date upon which such termination becomes

effective.

The client may in the following events after giving a prior notice and conducting investigations if

required, terminate the contract forfeiting the bid security and any sums due for payment to the

Vendor:-

If the value of the penalty for different services together exceeds 10% of the contract amount for

1 year.

If the Bidder becomes Bankrupt or financially insolvent during currency of the contract.

If it is found that the bidder has been convicted for any unlawful activities.

If it is found that bidder has made gross misconduct or involved in practices injurious to the

image and interest of the client or has failed in performing his duties as per contract.

I. Risk Management

Service Provider shall at his own expense adopt suitable Risk Management methodology to mitigate all

risks assumed under this contract. The Service Provider shall underwrite all the risk related to its

personnel deputed under this contract as well as equipment and components and any other belongings

or their personnel during the entire period of their engagement in connection with this contract and

take all essential steps to reduce and mitigate the risk. TSTS/User Department will have no liability on

this account.

J. Publicity

The Service Provider shall not make or permit to be made a public announcement or media release

about any aspect of this Contract unless the TSTS/User Department first gives the Service Provider its

written consent.

--------------------------------------------------------------------------------------------------------------------------- --6--

K. Resolution of Disputes:

TSTS/User Department and the Bidder shall make every effort to resolve amicably by direct informal

negotiation any disagreement or dispute arising between them under or in connection with the

contract.

If, after thirty (30) days from the commencement of such informal negotiations, the TSTS/User

Department and the Bidder have been unable to resolve amicably a contract dispute, either party

may require that the dispute be referred for resolution to the formal mechanisms specified here

in. These mechanisms may include, but are not restricted to, conciliation mediated by a third

party.

The dispute resolution mechanism shall be as follows:

In case of a dispute or difference arising between the TSTS/User Department and the Firm /bidder

relating to any matter arising out of or connected with this agreement, such disputes or

difference shall be settled in accordance with the Arbitration and Conciliation Act, of India, 1996.

Governing language

The contract shall be written in English. All correspondence and other documents pertaining to

the contract which are exchanged by the parties shall be written in same languages.

L. Applicable law

The contract shall be interpreted in accordance with appropriate Indian Laws.

M. Notices

Any notice given by one party to the other pursuant to this contract shall be sent to the other party in

writing or by Telex, e-mail, Cable or Facsimile and confirmed in writing to the other party’s address.

N. Taxes and duties

The Bidder shall be entirely responsible for all taxes, duties, license fee etc. incurred until delivery of

the contracted services to the Commissioner, Industries Government of Telangana or as per the terms

of tender document if specifically mentioned.

O. Arbitration (As per the State Government Rules)

The selected Service Provider shall indemnify state against all third party claims arising out of a court

order or arbitration award for infringement of patent, trademark / copy right arising from the use of

the supplied services or any part thereof.

In the event of any dispute or differences arising under these conditions or any special conditions

of the contract in connection with this contract, the same shall be referred to “The Prl. Secretary,

Information Technology, Electronics& Communications (ITE&C), Government of Telangana” for

final decision and the same shall be binding on all parties.

The Selected Service Provider and TSTS shall make every effort to resolve amicably by direct

negotiation any disagreement or dispute arising between them under or in connection with the

purchase order. If any dispute shall arise between parties on aspects not covered by this

agreement, or the construction or operation thereof, or the rights, duties or liabilities under these

except as to any matters the decision of which is specially provided for by the general or the

special conditions, such dispute shall be referred to two arbitrators, one to be appointed by each

party and the said arbitrators shall appoint an umpire in writing before entering on the reference

and the award of the arbitration or umpire, as the case may be, shall be final and binding on both

the parties. The arbitrators or the umpire as the case may be, with the consent of parties, may

modify the timeframe for making and publishing the award. Such arbitration shall be governed in

all respects by the provision of the Indian Arbitration and Conciliation Act, 1996 or later and the

--------------------------------------------------------------------------------------------------------------------------- --7--

rules there under and any statutory modification or reenactment, thereof. The arbitration

proceedings shall be held in Hyderabad, Telangana, India.

14 Other Terms & Conditions

Performance Bank Guarantee (PBG): The Successful bidder should submit PBG for an amount of

10% of the Project Value in the name of “The Commissioner-Industries Department ” within 1

week from issue of Notification of Award. The PBG should be valid for beyond 30 days post Project

Period.

Contract Agreement: After submission of PBG, the successful bidder should enter into Contract

Agreement with The Commissioner-Commercial Tax Department- Govt of Telangana.

Transaction fee: All the participating bidders who submit the bids have to pay an amount

@ 0.03% of their final bid value online with a cap of Rs. 10,000/- for quoted value of purchase

up to Rs.50 crores and Rs.25000/- if the purchase value is above Rs.50 crores& service tax

applicable @ 14.5% as levied by Govt. of India on transaction fee through online in favour of

MD, TSTS. The amount payable is non refundable.

Corpus Fund: Successful bidder has to pay an amount of 0.04% on quoted value through demand

draft in favor of Managing Director, TSTSL, Hyderabad towards corpus fund at the time of

concluding agreement.

15 Bidders are requested to submit the bids after issue of amendments/clarifications duly considering

the changes made if any. Bidders are totally responsible for incorporating/complying the

changes/amendments issued if any, before bid submission time& date.

16 Bids shall be submitted online on www.eprocurement.gov.in platform

1. The participating bidders in the tender should register themselves free of cost on e- procurement

platform in the website www.eprocurement.gov.in.

2. The bidders who are desirous of participating in e-procurement shall submit their technical bids,

price bids as per the standard formats available at the e-market place.

3. The bidders should scan and upload the respective documents in Technical bid documentation as

detailed mentioned in bid document including EMD. The bidders shall sign on all the statements,

documents certificates uploaded by them, owning responsibility for their correctness/authenticity.

4. The rates should be quoted in online in Indian Rupees only.

5. Transaction Fee Payable to The Managing Director, Telangana State Technology Services Ltd ,

Hyderabad.

17 1. After uploading the documents, the copies of the uploaded statements, certificates,

documents, original EMD in respect of Bid Security (except the Price bid/offer/break-up of taxes) are

to be submitted by the bidder to the O/o The Managing Director, TSTSL , BRKR Bhavan, Hyderabad as

and when required.

Failure to furnish any of the uploaded documents, certificates, will entitled in rejection of the bid.

The TSTSL shall not hold any risk on account of any delay. Similarly, if any of the certificates,

documents, etc., furnished by the Bidder are found to be false / fabricated/ bogus, the bidder will be

disqualified, blacklisted, action will be initiated as deemed fit and the Bid Security will be forfeited.

2. TSTSL will not hold any risk and responsibility regulating non-visibility of the scannedand

uploaded documents.

3. The Documents that are uploaded online on e-market place will only be considered for Bid

Evaluation.

4. Important Notice to Contractors, Suppliers and Department users

(i)In the endeavor to bring total automation of processes in e-Procurement, the Govt. has issued

orders vide G.O.Ms.No. 13 dated. 5.7.2006 permitting integration of electronic Payment Gateway of

ICICI/HDFC/Axis Banks with e-Procurement platform, which provides a facility to participating

suppliers / contractors to electronically pay the transaction fee online using their credit cards.

--------------------------------------------------------------------------------------------------------------------------- --8--

18 TSTSL /User Department reserves their right in not considering the bid of a bidder, if such bidder was

a previous supplier and had a past bad track record or their earlier performance was

unsatisfactory on any count.

19 1. The bidder should upload all the required documents duly signed by the Authorised person of the

bidding Organization with clear visibility, avoid missing documents and avoid bidding mistakes. In

such cases, TSTS reserves it’s right in seeking clarification from the bidder and may disqualify the

bidder for the bidding mistakes, missing documents and for the documents that are not clear.

2. The price quoted should be valid for a period of one year and the price quote should not be higher

than the prevailing market price or the price at which sold for the previous order. If found to be

higher, the bidder is liable for legal proceedings & penalties.

3. The quality of the items being supplied by the bidder must adhere to the specifications mentioned

and the bidder should submit a compliance statement declaring the matching of the specifications.

For each item a quality certificate also to be enclosed along with the bid.

Sd/-

--------------------------------------------------------------------------------------------------------------------------- --9--

Bid Formats

Bid Letter Form (To be submitted in TQ bid)

From: (Registered name and address of the bidder)

To: The Managing Director,

Telangana State Technology Services Limited,

Boorgula Ramakrishna Rao Bhavan, C-block, 1stfloor,

Tank bund Road, Hyderabad,

PIN: 500 063,

Sir,

Having examined the bidding documents and amendments there on, we the undersigned, offer to

provide services/execute the works as the case may be, in conformity with the terms and conditions

of the bidding document and amendments there on, for the following project in response to your

tender call no & dated ...............................

Projecttitle:

We undertake to provide services/execute the above project or its part assigned to us in conformity

with the said bidding documents for an amount quoted in financial bid accordance with the

schedule of prices attached herewith and coverage options made by TSTSL or its user

organization.

If our bid is accepted, we undertake to;

a. provide services/execute the work according to the time schedule specified in the bid document,

b. obtain the performance guarantee of a bank in accordance with bid requirements for the due

performance of the contract,and

c. agree to abide by the bid conditions, including pre-bid meeting minutes if any, which remain

binding upon us during the entire bid validity period and bid may be accepted any time before

the expiration of that period.

We understand that you are not bound to accept the lowest or any bid you may receive, nor to give

any reason for the rejection of any bid and that you will not defray any expenses incurred by us in

bidding.

Date &Place: Signature of Bidder &Stamp --------------------------------------------------------------------------------------------------------------------------------------------

--

--------------------------------------------------------------------------------------------------------------------------- --10--

Form P1 – General Information of the Bidder

(To be submitted in TQ bid)

Sl.No Description Supporting Documents with

page nos.

1 Name of the Company/ Firm

2 Date of Incorporation (Registration Number & Registering Authority) VAT No., CST No., PAN No.

3 Legal Status of the Company in India & Nature of Business in India

Public Ltd Company/ Private/ Partnership firm

4 Address of the Registered Office in India

5 Name & e-mail id, phone number, fax of the Contact Person

Phone: Fax: Email

6 Web-Site

7 Certifications if any

8 EMD details

Amount: DD No. & Date Name of the Bank: Valid up to :

9 Proof of purchase of bid document Receipt No: Date of purchase:

Date &Place: Signature of Bidder &Stamp

--------------------------------------------------------------------------------------------------------------------------- --11--

Form P2

REPRESENTATIVE AUTHORIZATION LETTER

Date : _________________________

Ref : _________________________

To

The Managing Director, Telangana State Technology Services Limited, 1stFloor, C Block, BRKR Bhavan,

Tankbund Road, Hyderabad

Dear Sir,

Ms. /Mr. ___________________ is hereby authorized to sign relevant documents on behalf of the agency

for the RFP for “Identification of IT Security Consultant/Agency to undertake Functional & Security

Audit Test of IT & Network Infrastructure for Commercial Tax Dept., Govt. of Telangana”. She/He is also

authorized to attend meetings & submit technical & financial information as may be required by you in

the course of processing above said tender.

Thanking you,

Signature of Authorized Signatory:

Name of Authorized Signatory:

Seal of the Organization:

Date:

--------------------------------------------------------------------------------------------------------------------------- --12--

FormP3

Declaration Regarding Clean Track Record

(To be submitted in TQ bid)

To

The Managing Director, Telangana State Technology Services Limited, 1stFloor, C Block, BRKR Bhavan, Tankbund Road, Hyderabad

500063

Sir,

I have carefully gone through the Terms & Conditions contained in the Tender Document[No.

].

I hereby declare that my company has not been debarred/ black listed as on Bid calling date by any

Central or State Government / Quasi Government Departments or Organizations in India for non-

satisfactory past performance, corrupt, fraudulent or any other unethical business practices. I further

certify that I am competent officer in my company to make this declaration.

Yoursfaithfully,

(Signature of the Bidder) Name &Designation Seal Date BusinessAddress: -------------------------------------------------------------------------------------------------------------------------------------------

--------------------------------------------------------------------------------------------------------------------------- --13--

FormT1

Technical Proposal

A Brief technical proposal by the bidder on Project Scope, Understanding of the project, technologies

proposed covering the following and other issues related to project and as per the guidelines of CERT-In

for GST Rollout:

a. Project Plan, Approach & Methodology for development.

b. Design and identification of functional requirements of the Audit Process

c. Compliance to various Audit standards

d. Project Implementation approach

e. Operations & Management Approach

f. Tools proposed for the Project

g. Training & Capacity Building Plan

h. Key staff proposed for the Project & Manpower deployment plan.

i. Infrastructure Requirements

j. Exit Management Plan

Date Signature of Bidder &Stamp

--------------------------------------------------------------------------------------------------------------------------- --14--

Financial BidFormat

FormF1

Total Cost In Words: ____________________________________________________________

Note: 1. The rate should not be provided as a percentage figure but in absolute Indian Rupees.

2. The rates quoted must be reasonable. The rate quoted will be valid till the completion of the project.

The period of validity of rates can be extended with mutual agreement. 3. All other tasks pertinent to the project even though may not have been mentioned in the bid

document are assumed to have been included in the work. 4. Deduction of taxes at source will be made as per applicable laws from the payments to be made to

the vendor. 5. The bidder shall be entirely responsible for all taxes, duties, license fee valid as on date. However, in

case of imposition of any new taxes or increase/decreased in tax structure by the Government then the same would be to the account of the User Department.

Date Signature of Bidder &Stamp

S.No Content Items Item Cost

(in Rs.)

Taxes in % Total Cost incl. taxes

(Rs.)

A. Cost of Functional & Security Audit of the following Components (2 iterations):

1 Application Security

2 Application Functional Control

3 IT General Control Review

4 Software Change control Review

5 Data communication and network controls Review

6 Performance and Scalability review

7 Security Control – Infrastructure Review

8 Review of Business Continuity / Disaster Recovery Controls

9 IT Support & IT Asset Management Review

B Cost towards preparation of Comprehensive Information Security Policy

GRAND TOTAL PRICE (Rs.) (A + B)

--------------------------------------------------------------------------------------------------------------------------- --15--

Annexure

Detailed Scope of Work

As part of GST Implementation, the GoI has instructed all the State Governments to be prepared with

required IT & Network infrastructure. Further, since operation of the IT infrastructure is critical for

successful roll-out of GST, it is imperative that the Software, Hardware and Network Infrastructure put

in place by the States be audited properly to ensure functionality, security & scalability of the

Software, Hardware and Network Infrastructure components.

The Govt. of India has prepared a ‘Model Functional & Security Audit Test Plan’ and suggested the

States to get a Functional and Security Audit of their existing IT Infrastructure conducted by an

independent agency before the roll out of GST to ensure a smooth roll out.

The Primary objective of the security audit exercise is to identify major vulnerabilities in the existing

setup at CTD from internal and external threats. Once the threats are identified and reported the

auditors should also suggest possible remedies in their Report to the Department as per the CERT-in

Standards.

In this regard, it is intended to identify a Suitable Agency to undertake the Functional and Security

Audit of their existing IT Infrastructure of the Telangana Commercial Tax Dept and advise the

Department accordingly. The identified agency shall sign a Non-Disclosure Agreement (NDA) with CT

Dept.

As part of Security Audit, following are to be undertaken:

Perform a risk assessment and determine the level of risk

Audit the highest risk areas

Review the security settings of the information systems

Uncover risks and control deficiencies that endanger data security.

Identify vulnerabilities of the applied IT systems.

Enable the mitigation of risks that arise from system complexity.

In the Functional Audit, following are to be undertaken:

Review whether the information systems operate in accordance with predefined business

logic.

Identify areas which do not comply with either efficiency or business requirements.

Review the design and operating effectiveness of application controls

Evaluate the in-scope systems’ application controls along aspects assembled on the basis

Department needs.

To provide remedy for functional deficiencies which can reduce extra costs arising from

manual troubleshooting.

A. Executive Summary

GST stands for “Goods and Services Tax” and is proposed to be a comprehensive tax levy on goods as well as services at the national level. It will replace all other taxes levied on goods and services by the central and state governments. The GST council has been formed which is the management body to take all decisions with regards to the GST. The GST will be implemented through IT system and would replace all manual a activities for indirect taxes on goods and services. The portal/ application will have primarily two components:

--------------------------------------------------------------------------------------------------------------------------- --16--

1. Front –End modules: This will have three modules ( to begin with) – Registration, payments and Return

2. Back – End modules: This will have 4-5 modules like Risk Management/MIS/Appeals/Assessments etc.

GSTN has been formed as a semi – government body which has been assigned the responsibility of implementing the IT systems for GST. Once the development was initiated, some of the states expressed a willingness to develop their own customized back –end modules because these modules were found to be very specific to their region. The front – end modules, however, will be the same for all the states and would be developed by GSTN. The stares which are planning to develop their own back – end modules have classified as “Model 1 states”. There are 9 such states. All other states have been classified as “Modal 2 states”. Model 1 states – The front end will be provided by GSTN via cloud connectivity/ APOs (44 APIs in total ). Back –end modules are being developed by the state themselves. All – Model 1 states have either a third part for SI activities, the associated hardware and network connectivity would also be the responsibility of the respective states. Modal 2 states – Both the front –end and back –end will be provided by GSTN via cloud connectivity. The state will have the responsibility to ensure that the portal can be accessed via their own network (SWAN) A snap shot of the description of each of the audit areas is provided below:

Major Audit Area Description

Application Functional Control Review

Business control review of processes such as workflow approvals access. Data edits and validations. File transmission controls (Interfaces). Recording and reporting controls etc. Standard / Leading Practices Reference : COBIT

Application Security Review Vulnerability Assessment and penetration testing of applications. Secure coding practices, Standard / Leading Practices: OWAPS, ISO 27001

IT General Controls Review Segregation of duties, Database and application access, Physical access, Back up management, Incident and problem Management Standard / Leading Practices: ISO 27001, ISO 20000, ITIL etc.

Software change control Review Software change management. Testing process, Version control, Environments segregation. Standard / Leading Practices: ISO 20000,27001,12207

Data communication / network controls review

Network administration , WAN management , Encryption , connection permissions, Fallback mechanisms Standard / Leading Practices: 2703,27001

Security controls –infrastructure Review

LAN , Os and database security controls and monitoring , IS controls and information security reviews, Internet connection controls, Virus protection Standard / Leading Practices: ISO 27033,27001

Business continuity / Disaster Recovery review

Business impact analysis, Risk Assessment and DR process, DRS installations and drills Standard Reference : ISO 22301

IT support and IT Asset management Review

Utilization monitoring, capacity planning IT asset procurement and maintenance contract, documentation for system, policies and procedures. Standard / Leading Practices: ISO 20000,55000

Performance and Scalability review Performance of servers and networks in case of icrease in user base and point of presence Support by underlying technology when there is an

--------------------------------------------------------------------------------------------------------------------------- --17--

expansion of user base or point of presence (POP)

Timeline for phase wise project completion

Timeline and process chart for timely completion : Approach and methodology of implementation.

The details of each of the activities along with the approach and tools / technologies is provided below.

B. Audit Components : Details of each of the major audit areas

Following table contains list of major areas and broad coverage of these areas:

Major Audit Area Description

Application functional control review

Business control review of processes such as workflow approvals access. Data edits and validations. File transmission controls (Interfaces). Recording and reporting controls etc. Standard / Leading Practices Reference : COBIT

Application Security Review Vulnerability Assessment and penetration testing of applications. Secure coding practices, Standard / Leading Practices: OWAPS, ISO 27001

IT General Controls Review Segregation of duties, Database and application access, Physical access, Back up management, Incident and problem Management Standard / Leading Practices: ISO 27001, ISO 20000, ITIL etc.

Software change control Review Software change management. Testing process, Version control, Environments segregation. Standard / Leading Practices: ISO 20000,27001,12207

Data communication / network controls review

Network administration , WAN management , Encryption , connection permissions, Fallback mechanisms Standard / Leading Practices: 2703,27001

Security controls –infrastructure Review

LAN , Os and database security controls and monitoring , IS controls and information security reviews, Internet connection controls, Virus protection Standard / Leading Practices: ISO 27033,27001

Business continuity / Disaster Recovery review

Business impact analysis, Risk Assessment and DR process, DRS installations and drills Standard Reference : ISO 22301

It support and IT Asset management Review

Utilization monitoring, capacity planning IT asset procurement and maintenance contract, documentation for system, policies and procedures. Standard / Leading Practices: ISO 20000,55000

Performance and scalability review Performance of servers and networks in case of increase in user base and point of presence Support by underlying technology when there is an expansion of user base or point of presence (POP)

Monitoring Real time sensitive data monitoring.

Timeline for phase wise project completion

Timeline and process chart for timely completion: Approach and methodology of implementation.

C. Various Areas of Audit and Brief Activities to be undertaken under each Area:

1. Application Security Review 1.1 Activities

i. Identify application’s access control mechanisms. ii. Assess the application’s access control mechanisms by passing arbitrary parameters/ values as

part of the request. iii. Secure code review: Static or Dynamic testing

--------------------------------------------------------------------------------------------------------------------------- --18--

iv. Black box, Grey Box, White Box Testing of State level Modules/Client version of Software suite. v. Perform the following tests on the application:

a. Invalidated input test; b. Broken access control test; c. Session management test; d. Cross-site scripting test; e. Buffer overflow tests; f. Insecure configuration test; g. Insecure storage and Improper error handling test; and h. Injection test. i. Key Management for Encryption. j. Secure communication Protocols. 1.2 Approach & Methodology:

a. The application security review will commence with application walkthrough. Subsequently a tool based application vulnerability scan will be performed comprising of the following activities:

Exploration – The web application will be explored using a tool that simulates a user / visitor

following links / menus and filling in form fields. During this stage, malformed requests will also

be sent to the application to determine the manner in which it generates error responses. This is

necessary to enhance the accuracy of the automated tests.

Vulnerability identification –An automated application vulnerability assessment tool will be used

to indentify vulnerabilities by executing a series of tests based on the output of the exploration

stage. The application’s response to each test will be recorded and analyzed using custom

validation rules. These rules both identify security problems within the application and also rank

their level of security risk.

b. The tool maps to many of the Open Web Application Security Project’s (OWASP) Top 10 vulnerabilities as well. However, automated tools often generate false positives and also miss out on vulnerabilities that can only be exploited by understanding how a website works and accordingly circumventing the business flow. In order to address these issues, a manual assessment will be carried out covering the all the security domains. Document and Discuss gaps with the management and finalize remediation plan and dates.

1.3 Tools and Techniques

Tools: Web Smack, Nessus, Nmap, Metasploit Framework, Burp-suite, Acunetix, Webinspect,

Paros Proxy, Nikto, LibNet.

Standard: OWAPS, ISO 27001

1.4 Deliverables

Application Security Audit report

Executive summary containing gaps / issues which need immediate attention

Log of all issues / gaps based on the assessment performed.

2. Application Functional Control Review

2.1 Activities

a. Review the flow of transactions for various business processes, supported by the in-scope applications.

b. Review the interfaces and interdependencies between different in-scope applications. c. Review master data configuration of the application as well as the nature of audit trails

maintained in the in-scope applications. d. Develop Control Catalogue (Risk and Control Matrix) for all the identified processes.

--------------------------------------------------------------------------------------------------------------------------- --19--

e. Perform identified business process review (application control testing). f. Perform Segregation of duties view g. Perform access control review

2.2 Approach & Methodology

a) Conduct meetings to understand the processes, process interdependencies and their logical

mapping to different applications (through the review of SRS/Functional specification documents,

blue print document, user manuals or any other available relevant document)

b) Perform what could do wrong analysis for various processes supported by the in-scope

applications using leading control practices that are generally automated to prevent, detect or

correct the errors/irregularities

c) Assess presence of identified controls by performing test of automated controls(including

interface controls) built within the in-scope applications

d) Identify deficiencies in the automated controls designed or envisaged to be operating in the in-

scope applications.

e) Document and Discuss gaps with the management and finalize remediation plan and dates.

2.3 Tools and Techniques: Control catalogue, Risk Control Matrix 2.4 Deliverables : Application functional Audit Report

3. IT General Control Review 3.1 Activities a. Review of controls implemented by organization of maintenance access provided to the

Third party. b. Review the physical access controls for governing the access to the datacenter as follows:

Creation and revocation of physical access to organization employees and

vendors

Periodic review of users provisioned with access to the datacenter

Visitor access management

c. Exception reporting and resolution, in case of unauthorized access to the data center. d. Review the environmental controls related to the data center (e.g Fire alarms,

Temperature monitoring) e. Review of controls implemented by organization for Fault resolution. f. Review the controls related to secure movement of backup and other media to and from

the data center. g. Review of controls for backing up the data from local desktops and related restoration. h. Review the corrective actions taken for security violations reported during the period of

assessment. i. Review classification of information and Third Party vendors access rights for sensitive

information. j. Review Desktop level protection: Ransomwares, Malwares, Data theft (DLP) 3.2 Approach & Methodology

a) Understand the IT general control process such as configuration management, user access management, backup management etc., for in scope applications through discussions and interviews.

b) Develop audit work programs for each area in scope c) Review IT general control process and policy documents. d) Perform IT process walkthrough with a sample. e) Verify adequacy and effectiveness of the control design and implementation f) Document test of effectiveness gaps and provide recommendation for closure of gaps; and g) Discuss gaps with the management and finalize remediation plan and dates.

--------------------------------------------------------------------------------------------------------------------------- --20--

3.3 Tools and Techniques:

Standard: ISO 20000, ISO 27001

3.4 Deliverable: IT General control Review report

4. Software Change Control Review

4.1 Activities to be undertaken: i. Review the procedures adopted by Organization for software change management. ii. Perform test of design and implementation for the following key control areas identified during

the walkthrough with reference to leading practices: a. Processing pf new feature and request

b. Fault reporting tracking and resolution

c. Testing for new releases, bug fixes etc.

d. Software version management process.

e. Deployment of new releases onto production

iii. Review the segregation of test / development and production environment. iv. Review the corrective action taken for production issues reported during period of assessment . 4.2 Approach & Methodology a. Understand the change management processes workflow for in scope application through

discussions and interviews. b. Review change Management policies and procedures documents. c. Review the workflow for management approval. d. Document test of effectiveness gaps and provide recommendation for closure of gaps: and e. Discuss gaps with the management and finalize remediation plan and dates.

4.3 Tools and Techniques : Standard : ISO 20000, ISO 27001

4.4 Deliverables : Software Change Control Audit report

5. Data Communication and Network Controls Review: 5.1 Activities to be undertaken:

a. Network Administration – Assessment of the network redundancy. In addition review the network monitoring & performance parameters, service outages & the action taken.

b. WAN Management – Review availability of backup arrangement for business continuity. c. Data protection during Transmission – Review the encryption techniques currently being

used for routers during transmission. Owasp Top 10 vulnerabilities. d. Connection permission – Review of access control lists for routers. e. Fallback mechanisms – Review the fallback / backup network connectivity strategy in place

and testing results of the same. For example Internet VPN could be a temporary fail back mechanism for MPLS.

f. Review the control around hardware based two factor authentications if applicable. g. Review the corrective actions taken for access reported in period of assessment. h. Review network architecture to understand the subnet design and deployment of the

network devices in- scope. i. External Network penetration Testing and remote Access Security review.

5.2 Approach & Methodology

a. obtain documentation for the identified network elements

--------------------------------------------------------------------------------------------------------------------------- --21--

b. Study the network component specific technical documentation to identify the access c. control requirement. d. Review Network access control matrix. e. Review other relevant control issues such as whether appropriate mechanisms have been

developed to control the allocation and maintenance of Network f. Make recommendation to improve controls

5.3 Tools and Techniques Standard: ISO 27033,27001, qualysguard, wireshark 5.4 Deliverables Data communication and network control review report

6. Performance and Scalability review 6.1 Activities to be undertaken: a. Review controls for performance monitoring of hardware, software and network. b. Review of system performance at peak load level during period of assessment c. Review of underlying technology framework for supporting the expanding user base . d. Review of underlying technology framework for support increasing location. 6.2 Approach & Methodology a. Defining a baseline for performance and scalability audit.

b. Identification of data points and data source

c. Collection, Interpretation and scrutiny of the data as provided for review.

d. Conclude on audit observations and gaps.

e. Finalization on performance audit Report

6.3 Tools and Techniques : Standard: ISO 20000 6.4 Deliverables: Performance and scalability review report

7. Security Control – Infrastructure Review

7.1 Activities to be undertaken:

a. Review controls around LAN security and monitoring implemented at organization

b. Review of server infrastructure including application, database report server, web servers etc. at

primary and secondary sites.

c. Review of baseline configuration defined for internet connectivity. This will be performed by

reviewing controls around internet access rights and privileges, rules set for firewalls, routers,

email servers and intrusion prevention systems.

d. Review the virus detection and prevention procedures implemented to mitigate the virus attacks

/ outbreaks. Further, review of corrective procedure in event of virus infection.

e. Review the controls implemented for secure transmission of emails (e.g: rules set, digital

signatures) and archival of e-mails

f. Review the corrective actions taken for security violations reported during the period of

assessment.

g. Secure Management and data Exchange protocols.

7.2 Approach & Methodology:

I. Update security controls checklist around domains such as use remote access management, SSH configuration, terminal management, account management, system logging and auditing, backup process etc.

II. Review the version of platform of the respective network elements.

--------------------------------------------------------------------------------------------------------------------------- --22--

III. Validate the hardening of the said network element on the following parameters: a. Password policy management

b. User profile and group management

c. Authentication and authorization

d. Privilege-based user groups

e. Remote access

f. Denial of service

IV. Study the network component specific technical documentation to identify the security parameter.

V. Review other relevant control issues such as whether appropriate mechanisms have been developed to control the allocation and maintenance of Network.

VI. Make recommendations to improve controls 7.3 Tools and Techniques

Tools: EY Mercury (proprietary scripts), Immunity Canvas, WireShark, BindView BV Control

Standard: ISO 27001

7.4 Deliverables : Security Control – Infrastructure Review report

8. Review of Business Continuity / Disaster Recovery Controls

8.1 Activities to be undertaken:

I. Review the Business Continuity Plan (BCP) / IT – Disaster Recovery Plan (DRP) documents documented by Organization.

II. Review the supporting documentation related to the BCP / DRP of ABC such as the Business Impact Analysis, Risk Assessment Report, Crisis Management Plan, IT DR procedures and workflow for the following:

a. Back up of critical system data

b. Recovery process review

c. Review of redundancy – equip, network etc.

d. DRS installation and drills

e. RTO and RPO requirements for DR

f. Storage of backup

iii. Review of actual switch planned to the DR site supporting full operations for several days iv Review of RTO / RPO in event of invocation BCP / DR plan during the period of assessment 8.2 Approach & Methodology

1. Conduct meetings to understand the critical application and its interdependencies

2. Review Business Continuity Plan (BCP) / IT-Disaster Recovery Plan (DRP) documents documented

by GSTN

3. Document the gaps identified and recommendations

8.3 Tools and Techniques : Standard: ISO 22301 8.4 Deliverables: Business Continuity / Disaster Recovery Controls review report.

9. IT Support and IT Asset Management Review: 9.1 Activities to be undertaken

I. Review system utilization reports

II. Projection of system capacity to handle maximum load. This will be performed by review of

latest system performance and corresponding transaction load and estimating transaction load at

full capacity utilization

--------------------------------------------------------------------------------------------------------------------------- --23--

III. Review controls related to the following processes:

a. Maintenance of IT asset Inventory

b. Maintenance of Agreement / contracts

c. Equipment / media disposal

iv. Review insurance policies to assess coverage of critical assets.

9.2 Approach & Methodology I. Conduct meetings to understand IT asset management process.

II. Obtain and understand the agreement / contract for IT asset deployed to understand the SLA and Insurance converges.

III. Document the gaps identified and recommendations.

9.3 Tools and Techniques: Standard: ISO 20000 9.4 Deliverables : IT Support and IT Asset Management Review report

D. ROLES AND REPONSIBILITY:

D.1 Roles and Responsibilities of the Department: -

a. Nomination of Department Coordinator who is responsible for the Functional & Security Audit

b. Provide broad guidance on Departments existing IT & Network Infrastructure, Applications etc.

c. Providing the Service Provider with the relevant data to undertake audit

d. Regularly reviewing the progress of work carried out by Agency for the contribution of the State specific content.

e. Payment processing of the bills submitted by the Agency as per Payment terms.

D.2 Responsibility of Identified Service Provider:

In addition to the responsibility towards the scope of the work mentioned in above paras, the consultant is also required to undertake the following:

a. Understanding of the Scope of Work & requirements of the Dept,

b. Entering into Contract Agreement & NDA with Commissioner-Commercial Tax Dept.,

c. Execution & Completion of work as per Contract.

d. Submission & fulfillment of deliverables.

e. Deployment of qualified manpower as defined in the RFP during project

f. Any other works as assigned by the Commissioner, Commercial Tax Dept related to the project

g. The consultants/manpower deployed shall submit the deliverables as per the Industry standards.

h. The Service Provider should maintain the documentation by versioning and maintaining tracks of

all the changes made from time to time and submit the same to Department with all the versions

to the Department.

i. Optimization: The vendor will review the existing application and suggest any modifications so

as to increase the efficiency of the application. A detailed report of proposed changes and risks involved along with the implications will be handed over to the Department.

E. Sub-Contract: No Sub-Contract is permitted.

F. Project Reporting: The Service Provider will work under the direct supervision of Commissioner,

Commercial Tax Dept.

--------------------------------------------------------------------------------------------------------------------------- --24--

G. Project Deliverables:

There are several deliverables which will be produced as a result of the successful completion of the Project. Few Deliverables are listed below:

1. All the documentation(Design document & manuals)related to Project

2. Use cases prepared, manual, Training manuals

3. All the information collected from the field for project

4. Technical documents

5. Ensure deployment of qualitative manpower

6. Service Provider shall submit the Project Implementation Action Plan with time lines and they should strictly follow the same

7. Any other documents, information related to scope of work as requested by Department

8. Exit management plan

H. Ownership of the Audit Reports : The entire audit reports shall be owned by the CT Department and the identified agency shall not use the project information in any manner without prior approval of the CT Dept.

I. Exit Management Schedule

This schedule sets out the provisions which apply on expiry or termination of work contract/ agreement, the project execution and Statement of works.

Department has right to terminate the services of the service provider if the performance of the

Identified Agency is not satisfactory.

J. Confidentiality and Intellectual Property Rights (IPR)

The IPR and the Audit Reports would be owned by the Department, Govt. of Telangana. The service provider will sign a non-discloser agreement with the department.

a. Confidentiality

The successful bidder must maintain absolute confidentiality of the documents/ data collected in

any form including electronic media and any other data/information provided to him for the

execution of the work.

The identified agency shall sign a Non-Disclosure Agreement (NDA) with CT Dept.

The bidder should not use the Project data for any purpose other than the scope of work specified

in the document and added/ amended before signing the contract.

The Bidder must remove/ destroy the entire data from his custody after completion of the

warranty period. If at any stage it is found that the bidder is using the data provided by the client

any time during the contract execution or after completion of the contract for any other

purposes, stringent legal action will be initiated as per applicable law of land and the contract will

be terminated without assigning any reasons.

Bidder shall not disclose to any one, any information marked as confidential and communicated or made available or accessible by the firm during execution of the work. b. Use of documents and Information and Ownership of the source code

The bidder shall not, without prior written consent from User Department /TSTS,

disclose/share/use the bid document, contract, or any provision thereof, or any specification,

plan, drawing, pattern, sample or information furnished by or on behalf of the User

Department/TSTS in connection therewith, to any person other than a person employed by the

--------------------------------------------------------------------------------------------------------------------------- --25--

bidder in the performance of the contract. Disclosure to any such employed person shall be made

in confidence and shall extend only so far as may be necessary for purposes of such performance.

The bidder shall not, without prior written consent of User Department /TSTS, make use of any

document or information made available for the project, except for purposes of performing the

Contract.

All project related document (including this bid document) issued by Department /TSTS, other

than the contract itself, shall remain the property of the Department /TSTS and shall be returned

(in all copies) to the Department /TSTS on completion of the Bidder’s performance under the

contract.

--o0o--