| Ministry/Division |
: |
Ministry of Finance |
| Agency |
: |
Rupali Bank Limited |
| Procuring Entity Name |
: |
Rupali Bank Ltd. |
| Procuring Entity Code |
: |
|
| Procuring Entity District |
: |
Dhaka |
| Expression of Interest for Selection of |
: |
Consulting Firm (National) (Lump-Sump) |
| Title Of Service |
: |
Consulting Firm |
| EOI Ref. No. |
: |
Tender/EOI/ICT Sys/2020/18 |
| Date |
: |
08/01/2020 |
KEY INFORMATION
|
| Procurement Sub-Method |
: |
Quality and Cost Based Selection(QCBS) |
FUNDING INFORMATION
|
| Budget and Source of Funds |
: |
Development Budget Own Funds |
| Development Partners |
: |
|
PARTICULAR INFORMATION
|
| Project/Programme Name |
: |
|
| EOI Closing Date and Time |
: |
29/01/2020 3:00 PM
|
| Publication Date |
: |
13/01/2020
|
INFORMATION FOR APPLICANT
|
| Brief Description of Assignment |
: |
a. Information System/Information Technology (IS/IT) Services: Information System Audit (Complete Information System Assessment of IT Enabled Services of Bank).
b. Security Assessment Services i.e. Vulnerability Assessment & Penetration Testing (VA & PT) of Network and Configuration Review of Servers and Security/Network Devices and Software Source Code Review.
c. Procurement of Vulnerability Assessment & Penetration Testing (VA & PT) Tools (Automated):
d. Standard Framework (International i.e. ISO 9001, ISO 27001, ISO 20000 &PCI DSS) Implementation and Accreditation for Bank ICT Division (ICT Systems, ICT Operations, Mobile Banking and DC & DRS).
e. Technical Documentation: Making Documentation on Information System Security, Policies, Process & Standards etc.
f. Capacity Building (Training): CISA, CEH, ITIL, CSCU, VA&PT, QMS-ISO 9001, ISMS-ISO 27001, ITSM-ISO 20000.
|
| Experience, Resources and Delivery Capacity Required |
: |
1. The Tenderer may participate alone or form a consortium consisting of maximum 03(three) members. In case of the consortium, legal documents on the partners’ roles and responsibilities should be included as an attachment to the bid proposal. One member of the consortium represents as prime partner and other(s) as a member partner.
2. The Tenderer (prime and member) should be legal entities and registered national/international organization/government organization/ Public sector unit/ Limited Company that have not been prohibited by Bangladeshi or international court(s) to enter into contracts. In case of a government organization, it must have the permission for participating in the bidding process from the competent authority.
3. The Tenderer (prime and member) must not participate in more than one bid.
4. In case of a consortium, all qualification criteria must be fulfilled by consortium and the prime partner will be fully responsible for all contractual obligations.
5. The prime partner must have registered office in Bangladesh.
6. The Tenderer shall be authorized/registered as core Information System /Information Technology related service provider having minimum 05 (five) years of experience in related business.
7. As core business, the company must have previous experience within last 03 years in completion of related works like Information Systems Audit, Vulnerability Assessment & Penetration Testing, Information Security related consultation, Composite Technical Documentation for IT Enabled Services.
8. The Company must have Information System Audit/Information Technology (IS/IT) Audit (special emphasize in IS/IT Security) at least in 03 (three) institutions out of which 01 (One) is Schedule Banks within last 05 (Five) years. Completion certificate and relevant documents must be submitted as a proof.
9. The minimum required qualification and experience of professional staff for Information System Audit:
a. Team Leader should have Certified Information Systems Auditor (CISA) certification with a minimum of 08 (eight) years of IT/Technical audit experience.
b. 02 (Two) CISA/ Certified IS auditor by reputed University/ ISO 27001 LA
c. 01 (One) Certified in Project Management (PMP/MPM/CIPM/Prince2).
d. 01 (One) CGEIT (Certified in the Governance of Enterprise IT)/COBIT or equivalent degree.
e. 01(One) Bank audit and 01 (One) risk management expert having at least 05 (five)years of experience.
f. 01 (One) Finance expert having FCA/FCMA/ACCA qualification and at least 02 (two) years of experience.
g. 01(One) IT network experts/CCNP/equivalent with at least 05 (five) years of experience.
h. 01 (One) Certified Data Centre Specialist (CDCS)/or Equivalent.
i. 01 (One) Electrical engineer with at least 02 (two) years of engineering practice.
j. Audit Team must have at least 7 members.
10. The Company should have Vulnerability Assessment & Penetration Testing and Configuration & Code Review (Security Assessment of same nature) at least in 03 (three) institutions out of which 02 (two) are Schedule Banks within last 3 (three) years. Completion certificate and relevant documents must be submitted as a proof.
i. The minimum required qualification and experience of professional staff for Vulnerability Assessment & Penetration Testing (VA&PT):
a. Team Leader should have Licensed Penetration Tester (LPT)/ Cyber Security & Cyber Forensic (CSCF)/ Certified Information System Security Professional (CISSP)/Offensive Security Certified Professional (OSCP)/ Payment Card Industry Qualified Security Assessor (PCI QSA) qualification with a minimum of 08 (eight) years of ICT/IT Security Assessment experience.
b. 01 (One) Licensed Penetration Tester (LPT)/ Offensive Security Certified Professional (OSCP)
c. 01 (One) Certified Information System Security Professional (CISSP)/ Cyber Security & Cyber Forensic (CSCF)/ Payment Card Industry Qualified Security Assessor (PCI QSA).
d. 01 (One) Certified Information System Auditor (CISA)/ Certified IS auditor by reputed University/ ISO 27001 Lead Auditor (LA).
e. 01(One) Certified in Project Management (PMP/MPM/CIPM/
Prince2).
f. 01 (One) Certified Data Centre Specialist (CDCS)/or Equivalent.
g. 01 (One) CGEIT (Certified in the Governance of Enterprise IT)/COBIT or equivalent degree.
h. VA/PT team must have at least 5 members.
11. The minimum required qualification and experience for (ISO 27001, ISO 9001, ISO 20000)
i. The company must have 05 years experience on handling end to end consultation /co-ordination for achieving ISO for different organization.
ii. External ISO Audit firm must provide proof of ISO accreditation services as the core activity of the ISO Audit firm.
iii. External ISO Audit Firm must have at least 05 certified clients on each ISOs i.e. ISO 9001, ISO 27001 & ISO 20000
iv. External ISO Audit Firm must be a direct part of International ISO Certification Body.
12. The minimum required qualification and experience for PCI DSS
i. The Bidder must have 01 (One) year experience of providing Consultation/Implementation/Certification services for various PCI DSS disciplines. (Bank/merchant/service provider/issuing authority etc.)
ii. The Bidder must have 01 (One) Bank/NBFI working experience on Consultation/Implementation/Certification services for various PCI DSS. Completion Certificate and related document must be submitted.
iii. PCI QSA firm must have valid insurance coverage as required by PCI SSC. Foreign PCI QSA firm’s insurance should cover Bangladesh as service location. Evidence of such insurance must be submitted.
iv. PCIQSA must be actively enlisted under PCISSC, USA website.
13. The minimum required qualification and experience for making Technical Documentation:
i. Consultant Firms must have professional(s) having hands on experience in making Technical Documentation (policy, process, standard) specially in Banking Industry.
ii. Vendor should have minimum 05 years hands on experience regarding making/assisting for client(s) technical documentation.
iii. The policy and procedure should meet the latest standard of Bangladesh Bank ICT Security Guideline Version 3.0 (2015), PCI DSS 3.2.1, SWIFT, ISO 27001, COBIT-5, NIST (updated controls) and CIS CSC V6.l(updated controls) and each control of this policy should have specific references like which standard's / control's which clause it is covering.
iv. Vendor should have practical experience successfully delivered similar type of technical documentation (policy, process, standard) to the client.
14. Capacity Building (Training): CISA, CEH, ITIL, CSCU, VA&PT, QMS-ISO 9001, ISMS-ISO 27001, ITSM-ISO 20000.
i. Trainer should be certified specific domain.
ii. For those training trainer must be professional trainer.
15. The Prime partner must have at least 25 employees with direct payroll, in case of consortium employee number should have at least 40 persons with direct payroll.
16. The Tenderer must submit a satisfactory certificate of completion of a single contract minimum Tk.60 (sixty) lac and minimum Tk. 3(three) crore under multiple contract within last 03(three) years.
17. Registration of firm(s) including following legal documents
i. Up to date Trade License.
ii. Valid TIN Certificate.
iii. VAT Registration Certificate.
iv. Up to date Income Tax Clearance Certificate.
v. Brochures submitted by the application summarizing their facilities and areas of expertise.
vi. Bank Solvency Certificate with in 6 (six) month for the date of published EOI.
18. Special Instruction:
i. Incomplete /partial EOI’s will be rejected.
ii. If the applicant fails to submit any of the required documentary evidences, their tender/ application/ proposal would be treated as non-responsive.
|
| Other Details (if applicable) |
: |
N/A |
| Association with foreign firms is |
: |
Not Encouraged |
| Eoi Detail Information |
|---|
| Ref No |
Phasing Of Services |
Location |
Start Date |
Completion Date |
| N/A |
N/A |
N/A |
N/A |
N/A |
|
PROCURING ENTITY DETAILS
|
| Name of Official Inviting EOI |
: |
Md. Rahmatullah Sarker |
| Designation of Official Inviting EOI |
: |
Deputy General Manager |
| Address of Official Inviting EOI |
: |
ICT Systems Division, Rupali Bank Ltd., Head Office, 9th floor, 34 Dilkusha C/A, Dhaka-1000. |
| Contact details of Official Inviting EOI |
: |
Phone : 8802-9514940, Fax : , Email : ho-it@rupalibank.org |
| The procuring entity reserves the right to accept or reject all tenders |
