Annexure – ‘A’
GENERAL AS WELL AS TECHNICAL TERMS AND CONDITIONS
1. The vendor must be in the field of Information Security Auditing for at least five years
with propriety Information Security courses.
2. The vendor must have conducted at least one Information Security Auditing for a
Government organization.
3. The company or any member of the Consortium/Joint Venture is not black listed by
any Government Department / Public Sector.
4. The company for security audit must have successful completed five audits over a
period of five years.
5. The participating firms/companies are requested to attach self attested legible
documentary proof for the following documents with their technical bid. In the
absence of any of these documents, the bid shall be disqualified/rejected straightway
without providing reasons:a) Details and qualifications of Auditor(s)
b) Documents relating to experience of conducting minimum five security audit
works as specified in clause No.4 above.
c) Service Tax registration certificate.
d) Latest Service Tax deposit receipt/challan.
e) A list of owners/ partners etc. of the company/firm with their contact
numbers
f) Application Fee as prescribed
g) A Certificate to the effect that the firm is neither blacklisted by any Govt.
Department nor any Criminal Case is registered/pending against the firm or its
owner(s) or partners anywhere in India.
h) EMD as prescribed
i) All other supporting documents as required in the tender shall be attached.
6.
The Tenderer must have to issue audit certificates by auditors as per
guidelines of CISSP/ISMS LA / CISM/ CISA/ ISA etc.
7
A copy of terms and conditions duly signed by the tenderer, as a token of
acceptance of the same should be attached along-with the tender.
8
For Internal Security Audit (Web):
a. Firms/Organizations shall also have to assist/undertake in patching
vulnerabilities after security audit.
b. Firms/Organizations shall also have to assist/undertake in coding and update
vulnerabilities after security audit.
c. The internal security audit should be completed within 45 days from the date
of award of work order.
d. In case, the firm does not complete internal audit work within the stipulated
period i.e. 45 days from the date of confirmed work order, a penalty
amounting to 2.5% of the quoted amount (per day) will be imposed on the
contractual firm, subject to maximum 10% of the entire amount after a week.
9.
For Internal Security Audit (Network):
a. Firms/Organizations shall also have to assist/undertake in patching
vulnerabilities after security audit.
b. The internal security audit should be completed within 15 days from the date
of award of work order.
c. In case, the firm does not complete internal audit work within the stipulated
period i .e. 45 days from the date of confirmed work order, a penalty
amounting to 2.5% of the quoted amount (per day) shall be imposed on the
contractual firm.
Annexre – ‘B’
THE SCOPE OF PROPOSED WORK
The Network and Security Audit for IT CENTRE/PHQ would cover the following scope:
1. Network Audit of IT DEPARTMENT ‐ The audit has to be conducted on
people/process/technology as per international standards and will involve the
Computer Facility of IT CENTRE/PHQ.
2. Comprehensive Technical Audit – Even though a Vulnerability Assessment and
Penetration Testing is a part of ISMS implementation, this project has a requirement
of a comprehensive technical audit which moves beyond the scope of normal audits.
This includes Application Security for critical applications as well as for security
appliances like Firewalls, IDS / IPS etc. The audit will be done for all the IT assets of the
organization.
3. Ongoing Implementation Support – Analysis of audit reports created as a result of the
audit exercise and preparation of subsequent Risk Treatment Plan and creation of
customized patches for applications wherever required.
i)
ISO SECURITY AUDIT AND IMPLEMENTATION GUIDELINES
To set up an Information Security Management System is an integrated part of any
organization. ISMS should ensure that Information Security as a conglomerate of
people, process and technology and enables companies to measure the risk to their
information and ensure the selection of adequate and proportionate security controls
that protect information assets and give confidence to interested parties including an
organizations user.
– Security policy
– Organization of information security
– Asset management
– Human resources security
– Physical and environmental security
– Communications and operations management
– Access control
– Information systems acquisition, development and maintenance
– Information security incident management
– Business continuity management and Disaster Recovery
– Compliance
Deliverables
• Information Security Policy
• Risk Assessment Matrix
• Risk Treatment Plan
• Procedure manual
• Business Continuity Plan
• Disaster Recovery Plan
• Report submission on recommendations on the IT architecture of the Data center
• Technology Audit Report for the Data Center
• Patching implementation plan report
• Risk analysis report
i)
Network Assessment, its Vulnerabilities and Penetration Testing
The scope of the job is to carry out audit of the entire Network and web applications of
IT CENTRE/PHQ and its centers. The vendor shall provide services for:
•
The Applications Security audit has to be done on the following parameters ‐
- To Assess Flaws in Web hosting Software i.e Security of web server.
- To Assess Flaws in the Design of the Applications.
- Attempting to guess passwords using password‐cracking tools.
Checking if commonly known holes in the software exist.
The Intra DP Portal should be audited as per the Industry Standards and also as per the
OWASP (Open Web Application Security Project) model.
•

1. The Intra DP Portal should be audited as per the Industry Standards and also as per
the OWASP (Open Web Application Security Project) model.
2. The auditor is expected to submit the final audit report after the
remedies/recommendations are implemented. The final report will certify the
particular Intra DP Portal “Certified for Security“.
3. Auditor must test various web applications for web attacks. The various
checks/attacks /Vulnerabilities should cover the following or any type of attacks,
which are vulnerable to the Intra DP Portal.
 Vulnerabilities to SQL Injections
 CRLF injections
 Directory Traversal
 Authentication hacking/attacks
 Password strength on authentication pages
 Scan Java Script for security vulnerabilities
 File inclusion attacks
 Exploitable hacking vulnerable
 Web server information security
 Cross site scripting
 PHP remote scripts vulnerability
 HTTP Injection
 Phishing a website
 Buffer Overflows, Invalid inputs, insecure storage etc.
 Any other attack that can be a vulnerability to the website or web
applications
4.
The Top 10 Web application vulnerabilities, which are given below, should also be
checked, but not restricted to the following. The best practices in the industry must be
followed.
i.
ii.
iii.
iv.
v.
vi.
vii.
viii.
ix.
x.
Cross Site Scripting (XSS)
Injection Flaws
Malicious File Execution
Insecure Direct Object Reference
Cross Site Request Forgery (CSRF)
Information Leakage and Improper Error Handling
Broken Authentication and Session Management
Insecure Cryptographic Storage
Insecure Communications
Failure to Restrict URL Access
ii)
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
iii)
Audit Report
The Website security audit report is a key audit output and must contain the
following:
Identification of Auditee (Address & contact information)
Dates and Location(s) of audit
Terms of reference (as agreed between the Auditee and Auditor), including the
standard for Audit, if any.
Audit plan.
Additional mandatory or voluntary standards or regulations applicable to the Auditee.
Audit Standards should be followed.
Summary of audit findings including identification tests, tools used and results of tests
performed (like vulnerability assessment, application security assessment, password
cracking and etc.)
A. Tools used
B. List of vulnerabilities identified
C. Description of vulnerability
D. Risk rating or severity of vulnerability
E. Test cases used for assessing the vulnerabilities
F. Illustration if the test cases to provide the vulnerability
G. Applicable screen dumps
Analysis of vulnerabilities and issues of concern.
Recommendations for action.
Personnel involved in the audit, including identification of any trainees. The auditor
may further provide any other required information as per the approach adopted by
them and which they feel is relevant to the audit process.
Expectations of Auditee from the Auditor
Following are the expectations of Auditee from the auditor:
1. Verification of possible vulnerable services will be done only with explicit written
permission from the Auditee.
2. With or without a Non-Disclosure Agreement Contract, the security auditor will be
ethically bound to confidentiality, non-disclosure of customer information, and
security testing results.
3. Auditor should have clarity in explaining the limits and dangers of the security test.
4. Seeking specific permissions for tests involving survivability failures, denial of service,
process testing, or social engineering will be taken.
5. The scope should be clearly defined contractually before verifying vulnerable services.
6. The scope should clearly explain the limits of the security test.
7. The test plan should be submitted and must include both calendar time and manhours.
8. The security auditors are required to know their tools, where the tools came from,
how the tools work, and have them tested in a restricted test area before using the
tools on the customer organization.
9. The exploitation of Denial of Service tests is done only with explicit permission.
10. High risk vulnerabilities such as discovered breaches, vulnerabilities with known, high
exploitation rates, vulnerabilities which are exploitable for full, unmonitored or
untraceable access, or which may convey immediate risk, discovered during testing
are to be reported immediately to the Information Technology Centre, Police
Headquaters, Delhi Police with a practical solution as soon as they are found.
11. The Auditor is required to notify the Auditee whenever the auditor changes the
auditing plan, changes the source test venue, has high risk findings, previous to
running new, high risk or high traffic tests, and if any testing problems have occurred.
Additionally, the Information Technology Centre, Police Headquaters, Delhi Police is to
be notified with progress updates at reasonable intervals.
12. Reports should state clearly all states of security found not only failed security
measures.
13. Reports will use only qualitative metrics for gauging risks based on industry-accepted
methods. These metrics are based on a mathematical formula and not on feelings of
the auditor.
14. The Auditor is required to notify the Information Technology Centre, Police
Headquarters, Delhi Police when the report is being sent as to expect its arrival and to
confirm receipt of delivery.
15. All communication channels for delivery of report are end to end confidential.
16. Auditor shall be responsible for ongoing implementation support which includes
analysis of audit reports created as a result of the audit exercise and preparation of
subsequent Risk Treatment Plan and creation of customized patches for applications
wherever required.
17. Auditor has to work to analyze the existing network and bottleneck and to propose a
efficient network design, secure data flow and architecture for IT Center, Police
Headquarters, New Delhi.
18. Comprehensive Technical Audit – Even though a Vulnerability Assessment and
Penetration Testing is a part of ISMS implementation, this project has a requirement
of a comprehensive technical audit which moves beyond the scope of normal audits.
This includes Application Security for critical applications as well as for security
appliances like Firewalls, IDS / IPS etc. The audit will be done for all the IT assets of the
organization and auditor has to ensure the same.
20 The work is to carry out audit of the INTRADP Network of IT Center, Police
Headquarters,
New Delhi. The vendor will provide services for:
• Evaluation of the current IT/Network infrastructure of IT Center along with
the devices in use, Operating Systems, Database and Application packages,
Operational Procedures and its website.
• Evaluating the design of Network Architecture, recommend changes/ new
designs/layouts, and document the security architecture so as to conform to
the International Standards and Industry‐wide accepted best practices.
• Identification of vulnerabilities, security flaws, gaps and loopholes in the IT
systems. These include but are not limited to :
o
Workstations /Desktops
o
Switch
o
Router
o
Web Servers
o
Application Servers
o
Proxy Server
o
Remote Access Server
o
Internet Gateway
o
Firewall
o
Wireless Network/Wi‐Fi
•
Fixing the vulnerabilities in deployment of applications/systems, and
recommend fixes for system vulnerabilities in design or otherwise for the IT
Infrastructure.
•
•
Creating customized patches for vulnerabilities which cannot be rectified by
availing of regular patches to overcome security loopholes/flaws.
There may be a change in network configuration, servers and devices from the
time of release of tender to the time actual audit begins. Such a change needs
to be accommodated by the Auditor.
21. Attempting to overload the systems using Distributed Denial of Services (DDOS) and
Denial of Services (DOS) attacks.
22. Attempting penetration through perceivable network equipment / addressing
and other vulnerabilities like
 IP Spoofing,
 Buffer Overflows,
 Session hijacks,
 Account Spoofing,
 Frame Spoofing,
23. Auditor must ensure the following:
 24x7availability of solution architecture to all users.
 Date and time stamp are appearing correctly on all reports.
 Servers are updated with latest security patches.
 Remote server Management Software used,
 Web logic server is up to date,
 Operating system version used.
 Logical Access Controls Techniques viz. Passwords, Smart Cards or Other
Biometric Technologies.
 Computer Access, messages are logged and security violations reported and
acted upon.
 Effectiveness of Tools being used for monitoring systems and network against
intrusions and attacks.
 Proper infrastructure and schedule for back up is fixed, testing of back‐up data
done to ensure readability.
 Any other items relevant in the case of security.
The following are the Applications of IT Centre, PHQ available on Cyber Highway
Network of Delhi Police – Intranet.
1)
2)
3)
4)
5)
6)
7)
8)
9)
10)
11)
12)
13)
14)
15)
Web-based Personnel Information System (WebPIS)
Complaint Monitoring and tracking System(CMTS)
Court Cases Monitoring System (CCMS)
Promotion Process System for ‘A’ and ‘C’ List Examinations
Summon Warrant Software
Rewards Monitoring System.
Office procedure
Standing orders
Circulars
All other Informations available on IntraDP Portal.
Mobile Applications developed on Android, iOS, Windows and Blackberry
Network audit is restricted to IntraDP Portal, NIC SMS, Gateway and NIC sites.
Quarter Allotment application.
Automated posts and transfer system.
The small apps and informations.
With the advancement in Computer and Information Technology, the use of Internet
and Information sharing has been increasing at a rapid pace. One of the negative impacts
of such a rapid increase was the large increase in new information threats which has
increased with a tremendous pace in the last few years. As per the CERT (Computer
Emergency Response Team) guidelines it is recommended for all PSU’s to undergo Network
and security audit to be safe from Cyber Terrorism.
It has been proven that computer networks have to be continuously monitored for
vulnerabilities from known vulnerability attacks and countermeasures must be taken to
keep networks secure. Thereby, a need for IT Network and Security process backed by
specialized products to find and plug insecurities and implement security policy required
for network to be worthy of interconnection with international partners and doing
business with them.
To conduct a third party a) Network Audit for efficient Network design and dataflow
b) Information Security Audit for ISMS Implementation. The audit ensures that the IT
architecture is secure from Cyber Attacks and all the Information assets of the organization
are secure from outsiders. The audit ensures that the processes of the organization are
streamlined to ensure maximum security of Information.
The firm will be required to perform the following jobs:iv)
REQUIREMENTS FOR AN AUDIT
The following needs of IT CENTRE/PHQ have to be met –

Security policy compliance for the of IT CENTRE/PHQ like: ‐
o The policy should be concerned with confidentiality, integrity and availability of the
data as well as with accuracy, reliability, performance and functional correctness of
the information system.
o
Database Security: ‐ Storing data in the database environment,
database specific security should be established.

Continuously assess business and technical Security risks

Comprehensive Vulnerability Assessment and Penetration Testing of the IT
architecture of IT CENTRE/PHQ.

Vulnerability remediation including patch management.

Report enterprise‐wide security posture.

ISMS audit and Implementation training.

To analyze the existing network and to propose an efficient network design
and architecture for IT CENTRE/PHQ.

To analyze the existing bottleneck in IT network and suggestions for efficient
and secure dataflow, etc.
ISMS= Information Security Management System
v)
Auditors will carry audit on every change in the application, network etc. as per this
scope of work for one year from the date of start of auditing. A fresh report will be submitted
after completion of every audit. The audit is to begin within 15 days of receiving order.
Annexure ‘C’
ADMINISTRATIVE AND FINANCIAL TERMS & CONDITIONS
1.
Separate envelope should be used for TECHNICAL BID as well as for COMMERCIAL BID.
The word “TECHNICAL BID/COMMERCIAL BID” shall be prominently super scribed on
the top of each envelops. Both these envelops duly sealed may be put in a bigger
cover which should also be sealed and super scribed and addressed to DCP/Genl.
Admn., Delhi.
2.
The tender should reach this office by 31.08.15 at 2.30 PM.
3.
No tender will be accepted by hand and tender received late will not be entertained.
Incomplete and conditional tender(s) will not be accepted at any cost.
4.
The Technical Bids will be opened first on 31.08.15 at 1500 Hrs. and the
Commercial/Price Bid will be opened of those firms only, who will qualify technically.
5.
Only Service Tax registered agencies are eligible to participate this tender. Interested
firms shall quote their Tin Number and also attach documentary proof of having
registered with Service Tax Department with the technical bid.
6.
Latest service tax deposit receipt/Challan must be attached with technical bid.
7.
The tendering firm will have to submit demand draft of Rs.500/- as application fee in
favour of DCP/Genl. Admn., Delhi with the Technical Bid which is non refundable.
8.
In case the firm fails to attach the draft of application fee, the tender shall be rejected
straightway and no plea will be entertained later-on.
9.
Optional tender will not be accepted.
10.
No tender will be accepted without requisite EMD. The tendering firm shall have to
submit earnest money deposit (EMD) of Rs.10,000/- and the same shall be in the
shape of A/C Payee Demand Draft, FDR, Banker’s cheque or Bank Guarantee from any
Commercial Bank in an acceptable form in favour of Dy. Commissioner of Police, Genl.
Admn., Delhi payable at Delhi. No interest will be paid on EMD. The EMD should be
valid for Forty Five days beyond the bid validity.
11.
The price must be quoted both in words as well as in figures. Nothing over and above
the quoted price would be payable to the successful bidder. If there is any over
writing/cutting etc. in the tender, the same will be rejected.
12.
The firm whose rates are accepted will have to deposit 10% of the total cost of the
item as Performance Security in the shape of Bank Draft/Bank Guarantee/FDR from
any Commercial Bank in an acceptable form in favour of DCP/Genl. Admn, Delhi
within a period of 7 days from the date of confirmation, in this regard. The
Performance Security should remain valid for a period of 60 days beyond the date of
completion of all contractual obligations of the supplier including warranty
obligations. The work order will then be placed to the lowest firm in further upto 7
days from the date of receipt of Performance Security in PHQ.
13.
In case the firm fails to deposit performance security money, the EMD of the firm will
be forfeited as well as action for blacklisting can also be taken prior to taking any legal
action.
14.
The work is time bound; therefore, it should be completed within 45 days from the
date of award of work order. In case the firm fails to complete the work within
stipulated period, the work will be got done from the open market and the difference
of cost, if any, will be recovered from the Security Money of the firm.
15.
The tenderer can remain present himself or through his authorized representative at
the time of opening of tender. Only authorized representatives will be allowed to
attend the meeting of the purchase committee. They should also bring Letter-Head of
the firm with an undertaking that any decision/negotiation taken by them would be
accepted by the firm.
16.
The Bid shall remain valid for three calendar months from the date of opening of the
tender.
17.
All the firms/companies participating in the tender must submit a list of their
owners/partners/directors etc. with their contact numbers and a certificate to the
effect that the firm is neither blacklisted by any Govt. Department nor any Criminal
Case is registered against the firm/company or its owners/partners/directors
anywhere in India.
18.
The payment will be made on completion of development work as per the prescribed
specification to be verified by Addl.DCP/IT/PHQ. No advance payment will be made.
19.
No claim for interest in case of delayed payment will be entertained by the
Department.
20.
A copy of terms and conditions duly signed by the tenderer, as a token of acceptance
of the same should be attached along-with the tender.
21.
The purchase committee reserves the right to relax any term and condition in the
Govt. interest, with the approval of the competent authority.
22.
The purchase committee reserves the right to reject any tender or all tenders without
assigning any reason thereof.
23.
The tender will be rejected straight-way without assigning any reasons if the
firm/company or its owner/partner/director involves in any criminal case, declared
black listed by any Govt./Semi Govt. Department/agencies etc.
24.
All disputes are subject to the jurisdiction of the Courts in the NCT of Delhi.
25.
No foreign company shall be entertained directly. However, as per the Compulsory
Enlistment Scheme of the Department of Expenditure, Ministry of Finance, it is
compulsory for Indian agents, who desire to quote directly on behalf of their foreign
principals, to get themselves enlisted with the Central Purchase Organization (eg.DGS&D).
26.
In case of violation of any clause of terms and conditions, the explanation of the firm can
be called by issuing show cause notice and if the reply is not found satisfactory, security
money can be forfeited besides action to blacklist can also be taken including legal action.
27.
In case of any difference(s), the firm can be called for negotiation to patch up the
differences on table prior to approaching the Court.
NOTE :(A)
DOCUMENTS REQUIRED TO BE ATTACHED WITH TECHNICAL BID IN THE FOLLOWING
ORDER:1.
The Demand Draft of Rs.500/- as applicable fee.
2.
EMD in favour of DCP/Genl. Admn., Delhi amounting to Rs.10,000/-
3.
Service Tax Registration Certificate.
4.
Latest service tax Clearance Certificate.
5.
Copy of terms and conditions duly signed with seal of the firm, in token of
acceptance of terms and conditions.
6.
All the firms/company participating in the tender must submit a list of their
owners/partners/directors etc. and a Certificate to the effect that the firm is
neither blacklisted by any Govt. Department nor any Criminal Case is registered
against the firm/company or its owner/partners/directors anywhere in India.
7.
8.
Details and qualifications of Auditor(s)
Documents relating to experience of conducting minimum five security audit
works
9.
All other supporting documents as required in the tender shall be attached.
(B)
DOCUMENTS REQUIRED TO BE ATTACHED WITH COMMERCIAL BID IN THE FOLLOWING
ORDER :Security Audit of IntraDP (Intranet of Delhi Police), Personnel Information System and other
Delhi Police applications of IT Centre, PHQ.
COMMERCIAL BID shall contain price only and no other documents shall be enclosed with
the Commercial Bid.
Price :- In figures :_________________________________________________________
In words :_____________________
ASSTT. COMMISSIONER OF POLICE:
HDQRS.(G): DELHI.
SING. OF TENDERER : _______________________________
NAME IN BLOCK LETTERS : ________________________
FULL ADDRESS : __________________________________
_________________________________________________