WIXLIB

anceandDeliveryMethodology point e25269293Appendix E Scopeof yMethodology point oAppendix E Scopeof WorkandNo Change in theRFP Terms sizingdetails to keep thecapacityutilizationincluding memory, CPU,storage below 70%during the period ofcontract.Request you to consider theclauseasbelow-Thesolutionmustintegrate with varioussystems / applications inthe Bank including butnot limited to SOC,Please confirm the SOC, SIEM,DAM, PIMS, NOC, CommandCentre, ITAM, ADS and ITSM,DLP, ACC, FIM used by Bank(OEM, product model)No Change in RFPTerms&Conditions"If the average CPU utilization ofthe proposed appliance crossesthe threshold of 70% for 4 hours,5 times in a week or 10 times ina month then bidder should finetune the application or replace/upgrade the hardware to ensureutilization within the aforesaidthreshold without any additionalcost to the bankThe solution shallintegrate with allthe standard SOC,SIEM,DAM,PIMS,NOC,Page 11 of 249

thodology point tAppendix E Scopeof yMethodology point uSIEM, DAM, PIMS,NOC, Command Centre,ITAM, ADS and ITSM,DLP, ACC, FIM etc.Command Centre,ITAM, ADS andITSM, DLP, ACC,FIMwhereverapplicable.No Change in theRFP Terms &ConditionsBidder has to also If the cabling is across the Rack,arrange for structured does the Bank require structuredcabling at each data cabling or patch cords?center as per therequirementandstipulated guidelines.Yes, all the cablesincludingpatchcords shall beprovided by theBidder.No Change in theRFP Terms &ConditionsPage 12 of 249

28299494Appendix E Scopeof yMethodology point bbAppendix E Scopeof WorkandPaymentScheduleServiceNecessaryKindly confirm if the existingHardware/Softwaremonitoring solution of the Banksolutionforthe can be usedcentralizedconfiguration, monitoringand maintenance ofdifferent devices must beprovided.The Bank hasgeneric monitoringsolution. However,the same shallonly be provided ifitisfoundtechnicallycompatible.All the technicaloperations ement etc.shall be in thescope of work ofthis RFP.Provision for separatemonitoring of productionand UAT hardware andsoftware(propersegregationofenvironments).Does the Bidder need to provideseparate solution for UAT? Ifyes, please share the sizing to beconsidered for the sameNo Change in theRFP Terms &ConditionsYes, The UATSetup shall beprovided by theBidderanditshould be replicaofProductionEnvironment.Page 13 of 249

30319696PerformanceandDeliveryMethodology point tems- point ems- point fNo Change in theRFP Terms &ConditionsIntegration with popular Please confirm the applicationapplicationsecurity security testing Tool used bytestingToolsfor Bankkey/certificatemanagementThesystemmust Please confirm the SMS solutionintegrate with Email & used by BankSMSSolutionsforsharing information andalertsThe solution shallintegrate with allstandardApplicationSecurity Testing toperformthesecurity testing ofthe entire solutionstack.No Change in theRFP Terms &ConditionsThe solution shallintegrate with allstandardSMSsolution.No Change in theRFP Terms &ConditionsPage 14 of 249

ingsystems- point hRegulatory/ComplianceRequirementsIntegration with popular Please confirm the IT ServiceIT Service Management Management tool used by Bankfor automation of servicemanagement of thesolutionThe solution shallintegrate with allstandardITSMsolution for servicemanagement.No Change in theRFP Terms &Conditionsb) The bidder shallarrange for ion sign-off.c) The PCI-DSS & ISOcertificates shall berenewedregularlywithout any additionalcost during the entireperiod of contractUnderstanding is Bank alreadyhas a team doing the PCI-DSSand ISO 27001 audit. Bidder onlyneeds to close the gapsidentified by the Bank's auditorsof the proposed solution andneed not do any PCI-DSS andISO 27001 audit. Please clarifyThe Bidder isexpectedtoarrange for PCIDSS and ISOcertificate for theproposed setup ofEKMS. The Bidderis expected toarrange for auditand closure both.No Change in theRFP Terms &ConditionsPage 15 of 249

34118SERVICE DESKSUPPORTMETRICLevel 3(Highest)Work around to beprovided in 15 minutesandpermanentresolution to be providedin 2 hours35119SERVICE DESKSUPPORTMETRICLevel 2(Medium)Work around to beprovided in 15 minutesandpermanentresolution to be providedin 4 hoursDepending ontheissue,Resolution and work around willhave a dependency on theexisting controls managed by theexisting partner or due to the bugin the proposed solution whichwill have a dependency on theOEM to release the patch.Request Bank to consider thetimeline accordingly which mayexceed the mentioned timelinesin the clauseDepending ontheissue,Resolution and work around willhave a dependency on theexisting controls managed by theexisting partner or due to the bugin the proposed solution whichwill have a dependency on theOEM to release the patch.Request Bank to consider thetimeline accordingly which mayexceed the mentioned timelinesin the clauseNo Change in RFPTerms&ConditionsNo Change in RFPTerms&ConditionsPage 16 of 249

36119SERVICE DESKSUPPORTMETRICLevel 1(Lowest)Work around to beprovided in 15 minutesandpermanentresolution to be providedin 6 hoursDepending ontheissue,Resolution and work around willhave a dependency on theexisting controls managed by theexisting partner or due to the bugin the proposed solution whichwill have a dependency on theOEM to release the patch.Request Bank to consider thetimeline accordingly which mayexceed the mentioned timelinesin the clauseNo Change in RFPTerms&ConditionsPage 17 of 249

374Schedul Earnest Money Deposit As per the Finance ministryeof Rs.5,00,000/circular dt: 12th Nov. 2020, it isEventsreiterated in the ProcurementManuals,noprovisionsregarding Bid Security should bekept in the Bid Documents infuture and only provision for BidSecurity Declaration should bekept in the Bid Documents.Request to Waive off the EMDagainst which we shall provideBid Security Declaration that wemay be liable to be suspendedfrom participation in any futuretendersoftheBankif1. The bid submitted by us iswithdrawn/modified during theperiodofbidvalidity.2. If any statement or any formenclosed by us as part of this Bidturns out to be false / incorrect atany time during the period ofprior to signing of Contract.3. In case of we becomingsuccessfulbidderandif:a) we fail to execute Contractwithin the stipulated time.b) we fail to furnish PerformanceBank Guarantee within thetimelines stipulated in this RFPdocument.No Change in RFPTerms&Conditions.Page 18 of 249

385Schedul DeliveryScheduleeof Delivery schedule EventsDelivery of hardware &softwarecomponentsshould be completedwithin Eight (08) weeksand installation andconfiguration of theentire solution should becompleted within Ten(10) weeks from the dateof issue of PurchaseOrderConsiderunexpectedtimeschedules and Global chipshortage crises we request youto consider extension in deliverytimelines:Delivery schedule - Delivery ofhardware&softwarecomponentsshouldbecompleted within Twelve (12)weeks and installation andconfiguration of the entiresolution should be completedwithin sixteen (16) weeks fromthe date of issue of PurchaseOrderNo Change in RFPTerms&ConditionsPage 19 of 249

3950Bidder’sEligibilityCriteriaAppendixBThe Bidder must have anaverage turnover ofminimum Rs. 100 Croreduring last 03 (three)financial year(s) i.e. FY2018-19, FY 2019-20and FY 2020-21.Request to modify the clause asbelow:The Bidder or Bidder's parentcompany (in case bidder iswholly owned subsidiary ofparent company) must have anaverage turnover of minimumRs. 100 Crore during last 03(three) financial year(s) i.e. FY2018-19, FY 2019-20 and FY2020-21.No Change in RFPTerms&ConditionsPage 20 of 249

4050Bidder’sEligibilityCriteriaAppendixBThe Bidder should beprofitable organizationon the basis of profitbefore tax (PBT) for atleast 02 (two) out of last03 (three) financial yearsmentioned in para 2above.Request to modify the clause asbelow:The Bidder or Bidder's parentcompany (in case bidder iswholly owned subsidiary ofparent company)should beprofitable organization on thebasis of profit before tax (PBT)for at least 02 (two) out of last 03(three) financial years mentionedin para 2 above.No Change in RFPTerms&ConditionsPage 21 of 249

4150Bidder’sEligibilityCriteriaAppendixBBidder should haveexperience of minimum5 years in providing thisorsimilarSoftwareSolution/servicesRequest to modify the clause asbelow:The Bidder or Bidder's parentcompany (in case bidder iswholly owned subsidiary ofparent company) should haveexperience of minimum 5 yearsin providing this or similarSoftware Solution/servicesNo Change in iaAppendixBThe Bidder (including itsOEM, if any) shouldeither be Class-I orClass-II local supplier asdefined under this RFP.Kindly make the Local Contentapplicable to OEM as they arebetter position to define the samethan the Bidder or Bidder's CA/cost accountant or auditorsNo Change in RFPTerms&ConditionsPage 22 of 249

4351Bidder’sEligibilityCriteriaAppendixBClient references andcontact details (email/landline/mobile)ofcustomers for whom theBidder has executedsimilar projects in India.(Start and End Date ofthe Project to bementioned) in the past(Atleast2clientreferences are required)Client references and contactdetails (email/ landline/ mobile)of customers for whom theRequest to modify the clause asbelow:The Bidder or Bidder's parentcompany (in case bidder iswholly owned subsidiary ofparent company)has executedsimilarprojectsinIndia.(Start and End Date of theProject to be mentioned) in thepast (At least 2 client referencesare required)No Change in RFPTerms&ConditionsPage 23 of 249

4410345102Comprehensive annualmaintenance/ATS/S&SforSoftwareComponents mentionedabove for four years,including annual renewalcost, if any, after the endofcomprehensivewarranty. (This costshould be in the range15% to 25% p.a. oflicense cost of softwareas quoted in S. No. 2above).-------Quarterly inarrearsComprehensive annualmaintenanceforHardware componentsmentioned above for fouryears, after the end ofcomprehensivewarranty.---Quarterly inarrearsRequest to consider ATSpayment yearly in advance whichis back to back with OEMpayment terms.No Change in RFPTerms&ConditionsRequest to consider AMCpayment yearly in advance whichis back to back with OEMpayment terms.No Change in RFPTerms&ConditionsPage 24 of 249

C1.1 The Enterprise KeycumcertificateManagementsolutionshall be a hardwarebased or software-basedsolution or combinationofboth.It can be a standalone orblade-basedarchitecture in case ofhardware. However, incase of blade-basedarchitecture, one unit ofAppliance will meansinglechassiscontaining.all blades in all slots.Additionally,eachchassisshallredundancy for each unitof the appliance alongwith high availability ofeach unit in differentchassis.In case of softwarecomponents, the sameshall be deployable inBank’s private cloud.Technic 1.2 The Solution must beal& FIPS 140-2 Level 3Functio rtificate Management solutionshall be hardware basedcomplying with FIPS 140-2 Level3standard.It can be a standalone 1Uapplianceonly.Physical form factor of Hardwarekeymanagerdevice:1)1Uappliance.2) Chassis Intrusion Detection3)2PowerSupplies:4) Average Power (Watts) 0.7A@120V84W5)Maximum Power (Watts)100-240V50-60Hz6)Voltage:100W7) Power Cord PSE CertifiedThe Bank expectsthe keys storage inasecuredHardware SecurityModules to ensuretemperproofsecured storage ofcryptographicobjects.No Change in RFPTerms&ConditionsHardware key managerisrecommended as per RBI.Please refer to page number DFs/GBS300411F.pdfThe hardware key managementSolution must be FIPS 140-2Level3Compliant.Additionally, The solution mustThe FIPS 140-2Level 3 Standardisrelatedtohardware.Page 25 of 249

48554956SpecificationsAppendixCsolution must be tamper be tamper proof, not just Tamperproof, not just Tamper ionsAppendixCFor each of the Datacenter, localHighAvailability shouldbemaintained (using separatephysical appliances) in ActiveActivemode.Recommendation to consideronly active –active mode fromday 1 as it provides higherthroughput and load balancing.So modified this clause.No Change in RFPTerms&ConditionsECKMS solution has its ownlicensing model-typically basedon number of servers connectingwith it. It would be great if bankcan share the number ofapplications they want to migrateto ECKMS first and compare thecosting with an enterprise licensecosting(Norestriction)Theestimatednumbers requiredhave already beenprovided to enablethe bidder forsizing. The Biddertoensurenorestrictionsinlicenses for anycomponent.1.6 For each of theDatacenter, local HighAvailability should bemaintained(usingseparatephysicalappliances) in ActivePassivemode.However, at any point,Bank may considerconfiguring this in ActiveActive mode.Technic 1.9 There must not beal& any restrictions, basedFunctio on the licenses ornalnumber of applicationsSpecific usingtheationshardware/appliances, ifAppendi any are proposed in thexCsolution.Unlimited licenses will incursignificant cost to the bank.No Change in theRFP Terms &ConditionsNo Change in theRFP Terms &ConditionsPage 26 of 249

0Thehardwarecomponentsofthesolutionmustbelicensed in full to theBank with all the featuresand functionalities. TheBank shall have fullrights to run all thefeaturesundertheproduct suite ionalSpecificationsAppendixC1.22 The solution shallsupport management ofSSL /TLS certificatesdeployed in all majormiddleware/serversolutions like Apache,Apache Tomcat, IIS,JBOSS,IBMWebSphere,OracleWebLogic, IBM HTTP,Oracle HTTP NGinX etc.The list of solutions supportSSL/TLSCertificate ManagementThe hardware components of thesolution must be licensed in fullto the Bank with all the featuresand functionalities requested inthe RFP. The Bank shall have fullrights to run requested featuresas per the RFP under the productsuite offered in full during thecontractperiod.ECKMS solutions will havemultiple features which might notbe relevant to bank. So there isno point in investing in thosefeatures.The certificate managementcomponentshallsupportmanagement of SSL /TLScertificates deployed in all majormiddleware/server solutions likeApache, Apache Tomcat, IIS,JBOSS,IBMWebSphere,Oracle WebLogic, IBM HTTP,Oracle HTTP NGinX etc. The listof solutions is indicative and notcomprehensive. In essence, itshouldsupportSSL/TLSCertificate Management for theexisting framework of the BankThis is the part of certificatemanagement solution. Hence,keep it separate from Enterprisekey management solution.No Change in RFPTerms&ConditionsNo Change in RFPTerms&ConditionsPage 27 of 249

52536161fortheexistingframework of the BankTechnic 1.25 The solution mustal& be deployed in BanksFunctio premises, either onnalphysicalorvirtualSpecific environment in Bank’sationsPrivate Cloud. However,Appendi the Hardware SecurityxCModules (HSM) shall beprovided as sAppendixC1.26 The solution shallbe capable of managingthe entire Software KeyLifecycle i.e. on,renewal,backup and restore,recovery,publish,revocationanddestruction in automatedmanner.The solution must be deployed inBanks premises, either onphysical or virtual environment inBank’s Private Cloud. However,the Hardware key manager shallbeprovidedasphysicalhardware.Hardware key managerisrecommended as per RBI.Please refer to page number DFs/GBS300411F.pdfThe solution shall be capable ofmanaging the entire encryptionKey Lifecycle i.e. Initiation, keygeneration,maintenance,supply, rotation, renewal, backupand restore, recovery, publish,revocation and destruction inautomatedmanner.Software keys are not a correctinterpretation.Considerencryption keys.The Bank expectsthe keys storage inasecuredHardware SecurityModules to ensuretemperproofsecured storage ofcryptographicobjects.No Change in ckeys.No Change in RFPTerms&ConditionsPage 28 of 249

2 The solution mustsupport latest symmetricandasymmetriccryptographic algorithm,Hashing algorithms, Keyderivations,KeyWrapping and ikeincluding but not limitedto RSA, DSA, DiffieHellman, Elliptic CurveCryptography (ECDSA,ECDH,Ed25519,ECIES) with named,user-definedandBrainpoolcurves,KCDSA, AES, AESGCM, DES, Triple DES,ARIA, SEED, RC2, RC4,RC5, CAST, SHA-1,SHA-2, SM, SP800-108Counter Mode, SP80038F and more.The solution must support ,Hashingalgorithms,Keyderivations, Key Wrapping andlatest security ciphers forkey/certificate management likeRSA,DSA,Diffie-Hellman,Elliptic Curve Cryptography(ECDSA with Brainpool curves,AES, AES-GCM, DES, TripleDES,ARIA,SEED,No Change in RFPTerms&ConditionsRC2 , RC2 and RC5 have notbeen considered secure as perindustrybestpractices.Recommendation is to remove it.User defined curve imposeadditional challenge as they arenot validated by any third partysecurity team. Request you toremovehighlighted.Please remove highlights as theyhave not been used anywhere inth

box in the solution. No Change in the RFP Terms & Conditions 3 Page 77 3.2 Integrate with EMM/MDM systems and self- service certificate issuance and other activities Kindly explain the need to integrate with EMM & MDM Solution. Kindly Elaborate the use case and kindly share the EMM/ MDM vendor of SBI The Solution shall