KCB BANK GROUP LIMITED REQUEST FOR … · Security by engaging a suitable Security Operations Center (SOC) security partner for managing a world-class, state-of-the-art SOC along

Confidential- KCB Bank Group Managed Services – IT SOC Page 1 of 81 July 15, 2014

KCB BANK GROUP LIMITED

REQUEST FOR PROPOSAL

IT/JULY 2014/TENDER FOR MANAGED SERVICES

- I.T SECURITY OPERATIONS CENTER (SOC)

Release Date: Wednesday, 16th July 2014

Last Date for Receipt of bids: Wednesday, 13th August 2014 at 3.00pm (GMT+3) Nairobi, Kenya


ISSUE OF RFP DOCUMENT TO PROSPECTIVE BIDDERS TENDER FOR SUPPLY OF MANAGED SERVICE – I.T SECURITY OPERATIONS CENTER (SOC) This form serves as an acknowledgement of receipt of the tender and participation. This page is to be completed immediately on downloading/receiving the document and a scan copy e-mailed to [email protected]. Firms that do not register their interest immediately in this manner may not be sent the RFP addenda should any arise. Item Supplier Details Name of Person

Organization Name

Postal Address

Tel No

Fax No

Email Address (this e-mail address should be clearly written as communication with bidders shall be through e-mail)

Signature:

Date

Company Stamp

mailto:[email protected]


Table of Contents IT/JULY 2014/TENDER FOR MANAGED SERVICES - I.T SECURITY OPERATIONS CENTER (SOC) ......................................................................................................................... 1 DEFINITIONS ............................................................................................................................ 4 Abbreviations and Acronyms ........................................................................................... 5 SECTION 1 – REQUEST FOR PROPOSALS ........................................................................... 6 1.1. Introduction ............................................................................................................... 6 1.2. Background, Aims and Objectives of the tender .......................................... 6

2.10 DOCUMENTATION REQUIREMENTS ................................................................. 32 2.11 TESTING AND ACCEPTANCE ............................................................................. 33 2.12 PROOF OF CONCEPT .......................................................................................... 33 2.13 OVERALL RESPONSIBILITY .................................................................................. 33 2.14 PRICING ................................................................................................................. 33 2.15 DELIVERY ............................................................................................................... 33 2.16 DELAYED DELIVERY AND INSTALLATION CAUSED BY THE SUPPLIER ........ 34 2.17 WARRANTY ............................................................................................................ 34 2.18 SUPPORT REQUIREMENTS ................................................................................... 34 2.19 BID EFFECTIVENESS ............................................................................................... 34 2.20 PAYMENT TERMS .................................................................................................. 34 2.21 STAFFING ................................................................................................................ 35 2.22 RESPONSIBILITY AS AN INDEPENDENT CONTRACTOR.................................. 35 2.23 BUYERS RIGHTS ........................................................................................................ 35

SECTION 3 - GENERAL CONDITIONS OF CONTRACT .................................................. 36 3.1 Introduction ................................................................................................................ 36 3.2 Award of Contract .................................................................................................... 36 3.3 Application of General Conditions of Contract ............................................... 36 3.4 Bid Validity Period ..................................................................................................... 36 3.5 Performance Security .............................................................................................. 36 3.6 Delays in the Bidder’s Performance .................................................................... 37 3.7 Liquidated damages for delay ............................................................................. 37 3.8 Governing Language .............................................................................................. 37 3.9 Applicable Law ......................................................................................................... 37 3.10 Bidder’s Obligations .............................................................................................. 37 3.11 The Bank’s Obligations ......................................................................................... 38 3.12 Confidentiality ........................................................................................................ 38 3.13 Force Majeure ........................................................................................................ 38 SECTION 4 – ANNEXURES ................................................................................................... 39 ANNEX 1 – REFERENCES ..................................................................................................... 39 ANNEX 2 – TECHNICAL SPECIFICATIONS COMPLIANCE MATRIX ............................ 40 ANNEX 3 – KCB IT RISK & SECURITY – TECHNICAL SECURITY CHECKLIST ............... 69 ANNEX 4 – SUPPLIER QUESTIONNAIRE ............................................................................ 73 ANNEX 5 – PERFORMANCE SECURITY FORM (FORMAT) ............................................ 80 ANNEX 6 – CERTIFICATE OF COMPLIANCE ................................................................... 81


DEFINITIONS

For purposes of this document, the following definitions shall apply:

The Bank KCB Ltd

Bid The Quotation or Response to this RFP submitted by prospective Suppliers for fulfilment of the Contract.

Supplier The Company awarded the task of supplying all the items described in this document installing and commissioning them.

Contract Supply, installation and commissioning of all the works, equipment and/or services that are described in this document, which will contribute towards meeting the objective of the RFP

Warranty Period from the time installation and testing is completed, during which the Contractor undertakes to replace/rectify equipment and/or installation failures at no cost to the Bank


Abbreviations and Acronyms The following abbreviations and acronyms defined in this RFP are as under

SOC – Security Operations Center

AMC – Annual Maintenance Contract

BG – Bank Guarantee

DR – Disaster Recovery

EMD – Earnest Money Deposit

HA – High Availability

IPO – Intellectual Property Owner

IPR – Intellectual Property Rights

KCB – Kenya Commercial Bank

OEM – Original Equipment Manufacturer

RFP – Request for Proposal in Context

PBG – Proforma Bank Guarantee

SI – System Integrator

SME – Subject Matter Expert

WAN – Wide Area Network

CISA – Certified Information Systems Auditor

CISSP – Certified Information Systems Security Professional

CISM – Certified Information Systems Manager

CEH – Certified Ethical Hacker

CRISC – Certified Risk and Information Systems Control


SECTION 1 – REQUEST FOR PROPOSALS

1.1. Introduction The Kenya Commercial Bank Limited is incorporated in Kenya and is a leading Commercial banking group in the East African region, renowned for its diversity and growth. In addition to Kenya, it has other subsidiaries namely; KCB (Tanzania) limited, a banking subsidiary operating in Tanzania, KCB (Uganda) limited, a banking subsidiary operating in Uganda, KCB (Sudan) limited, a banking subsidiary operating in Sudan, KCB (Rwanda) limited, a banking subsidiary operating in Rwanda and KCB Burundi a banking subsidiary operating in Burundi. The Head Office for the group is located in KENCOM House Nairobi. The platform is anchored on consolidation across our existing business, expanding and modernizing delivery channels, improving operational efficiencies, turning in returns commensurate with level of investment and compliance with all regulatory and internal policy guidelines. This document therefore constitutes the formal Request for Proposals (RFP) for Provision of Managed services – I.T. Security Operations Centre (SOC) is being availed on an open tender basis. 1.2. Background, Aims and Objectives of the tender KCB depends a great deal on Information Technology solutions and services to manage its business operations. The IT infrastructure currently consists of a fully-fledged data Centre that connects all KCB locations and offices via a wide area network. In line with KCB strategies and with the objective of maximizing focus on core services and maximizing efficiency and effectiveness of support services. KCB has implemented multiple strategic applications that are supporting it banking and financial services business. KCB has implemented state of the art security technologies and has a strong team managing the same. KCB intends to further strengthen its Information Systems Security by engaging a suitable Security Operations Center (SOC) security partner for managing a world-class, state-of-the-art SOC along with the required processes for its applications and infrastructure. In this context, KCB is inviting leading IT Service Providers (OSP) to submit proposals for the provision of the IT services specified in this request for Proposal (RFP). The objective of this RFP is to provide the bank with a comprehensive I.T Security Operations Centre (SOC) for provision of first line (L1 - Level One) IT Security support services to the entire KCB Bank Group. The IT Security Operations Centre (SOC) serves as the first point of contact for IT users on a day to day basis and will handle all incidents and service requests. The supplier will provide the correct caliber (certified) staff that will provide a round the clock service.


The following benefits are expected from the Managed IT Security Operations Center (SOC):

• Effective incident management and risk mitigation • Metrics-driven performance • Protection of critical information and assets • Reduced TCO • Availability and business continuity by 24/7 monitoring • Security from advanced threats and risks • Visibility of the security operations • Regulatory compliance with industry standards • Increased responsiveness, scalability and flexibility

1.3 Format of RFP Response and Other Information for Bidders 1.3.1 The overall summary information regarding the tender is given in section 2 -

Scope of Work. The bidder shall include in their offer and any additional services or items considered necessary for the successful completion of the project.

1.3.2 Proposals from bidders should be submitted in two distinct parts, namely “Technical proposal” and “Financial proposal” and these should be in two separate sealed envelopes, both of which should then be placed in a common sealed envelope marked:

IT/July 2014/Managed services – IT Security Operations Centre (SOC)

Do not open before Wednesday, 13th August 2014 at 3.00 (GMT + 3) Nairobi Kenya The two separate inner envelopes should be clearly marked “Technical Proposal”, and “Financial Proposal”, respectively, and should bear the name of the Bidder. 1.3.3 The Technical Proposal should contain the following:

Bidders, willing to be considered for Managed services – IT Security Operations Centre (SOC) are expected to furnish the Bank with among others the following vital information, which will be treated in strict confidence by the Bank.

Provide a company profile as per supplier questionnaire in Annex 4 Duly completed Technical Specifications Compliance Matrix – Annexure 2. Duly completed Reference Form – Annexure 1 Duly Completed KCB IT Risk and Security – Technical Security Checklist –

Annex 3. This RFP document duly signed Approval licenses, by the various bodies for compliance, MUST be

included where applicable. Audited financial statements of the company submitting the RFP bid, for

the last two years Demonstrate capability and capacity to provide technical requirements

functional requirements and functionalities as per KCB requirements in section 2 – Scope of Work.

Bids that do not have this information may be disqualified from further evaluation.


1.3.4 The Financial proposal (MUST BE IN A SEPARATE SEALED ENVELOPE ) CLEARLY

MARKED “ Financial Proposal”) shall clearly indicate the total cost of carrying out these services as follows:-

a. The Supplier shall provide a firm, fixed price for the Original Contract Period. All costs associated with the required services shall be included in the prices. Kindly note that the cost should include provision and commissioning of the services inclusive of all personnel charges, freight charges where applicable and applicable duties and taxes (VAT and withholding Tax).

Provide an itemized list of all items included and summarize your costs as shown in the table below:-

Item Requirement Description Qty Unit Unit Cost

Total cost (USD) inclusive of all applicable duties and taxes.

i. Managed Services IT Security Operations Centre (SOC) as per scope of work (includes all costs for 36 months)

36 Months

Total Cost

b. Additional Cost to Complete. Provide an itemized list of any items not included above by the Bank and related costs that Supplier deems necessary to provide the information to meet the requirements specified in proposal. Failure to provide said list shall not relieve the Supplier from providing such items as necessary to meeting all of the requirements specified in proposal at the Fixed Price Purchase Costs proposed.

1.3.5 Soft Copies for each proposal may to be provided in the standard Microsoft Office suite of Programs or Adobe Reader and delivered together with hard copy of the tender. NOTE that only the information on the Hard copy Bound bid document shall be considered as the MAIN source document.

1.3.6 Bidders are requested to hold their proposals valid for ninety (90) days from the closing date for the submission. The Bank will make its best efforts to arrive at a decision within this period.

1.3.7 Assuming that the Contract will be satisfactorily concluded, the bidders shall

be expected to commence the assignment after the final agreement is reached.

1.3.8 The contracting arrangements shall define clearly the responsibilities and the

services to be provided by each firm in the case of a joint venture.


1.3.9 The Bank reserves the right to accept or to reject any bid, and to annul the bidding process and reject all bids at any time prior to the award of the contract, without thereby incurring any liability to any Bidder or any obligation to inform the Bidder of the grounds for its action.

The vendor’s terms and conditions will not form part of any contract with KCB in relation to this tender.

Canvassing is prohibited and will lead to automatic disqualification.

1.3.10 Cost of bidding All costs pertaining to the preparation of a proposal and negotiations of a contract shall be borne by the firms submitting proposals. The Bank will in no case be responsible or liable for those costs, regardless of the conduct or outcome of the bidding process. 1.3.11 Cost Structure and non-escalation The bidder shall, in their offer (Financial Proposal), detail the proposed costs. No price escalation under this contract shall be allowed. The Bank shall not compensate for any costs incurred in the preparation and submission of this RFP. 1.3.12 Clarification of Bidding Document

i. All correspondence related to the contract shall be made in English. ii. Should there be any doubt or uncertainty, the Bidder shall seek clarification in

writing addressed to the Head of Procurement through e-mail to: [email protected].

iii. Any clarification sought by the bidder in respect of the RFP shall be addressed at least five (5) working days before the deadline for submission of bids, in writing to the Head of Procurement through the same mail.

iv. It is the responsibility of the Bidder to obtain any further information required to complete this RFP.

v. Any clarification requests and their associated response will be circulated to all Bidders.

vi. The last date for receipt of requests for clarifications from bidders is Friday, 25th July 2014.

vii. The RFI Clarification Template is as follows:-

• Company Name: • Contact Person: (primary Supplier contact) • E-mail: • Phone: • Fax: • Document Number/Supplier

# Date Section/ Paragraph(2) Question 1

2



3

(1) Question (s) mailing Date. (2) From the KCB Document. The queries and replies thereto shall then be circulated to all other prospective bidders (without divulging the name of the bidder raising the queries) in the form of an addendum, which shall be acknowledged in writing by the prospective bidders. Enquiries for clarifications should be sent by e-mail to: [email protected] 1.3.13 Amendment of Bidding Document At any time prior to the deadline for submission of bids, the Bank, for any reason, whether at its own initiative or in response to a clarification requested by a prospective Bidder, may modify the bidding documents by amendment. All prospective Bidders that have received the bidding documents will be notified of the amendment in writing, and it will be binding on them. It is therefore important that bidders give the correct details in the format given on page 1 at the time of collecting/receiving the RFP document. To allow prospective Bidders reasonable time to take any amendments into account in preparing their bids, the Bank may at its sole discretion extend the deadline for the submission of bids based on the nature of the amendments. 1.3.14 Deadline for Submission of Bids The bid documents shall be addressed to the following address and dropped at the tender box on 5th Floor, Kencom House, Wing B on or before the closing date of Wednesday, 13th August 2014 at 3.00 pm.

Head of Procurement Kenya Commercial Bank

5th Floor Kencom House, Moi Avenue P.O. Box 48400, 00100

Nairobi, Kenya Please note that tenders received by facsimile or electronic mail will be rejected and any bid received by the Bank after this deadline will be rejected. Those submitting tenders or their representatives may attend the tender opening of date and time of submission. 1.3.15 Responsiveness of Proposals The responsiveness of the proposals to the requirements of this RFP will be determined. A responsive proposal is deemed to contain all documents or information specifically called for in this RFP document. A bid determined not responsive will be rejected by the Bank and may not subsequently be made responsive by the Bidder by correction of the non-conforming item(s).



1.3.16 Currency for Pricing of Tender All bids in response to this RFP should be expressed in US Dollars (USD). Expressions in other currencies shall not be permitted. 1.3.17 Taxes and Incidental Costs The prices and rates in the financial offer will be deemed to be inclusive of all taxes and any other incidental costs. 1.3.18 Correction of Errors. Bids determined to be substantially responsive will be checked by the Bank for any arithmetical errors. Errors will be corrected by the Bank as below:

• Where there is a discrepancy between the amounts in figures and in words, the amount in words will govern, and

• Where there is a discrepancy between the unit rate and the line total resulting from multiplying the unit rate by the quantity, the unit rate as quoted will govern.

The price amount stated in the Bid will be adjusted by the Bank in accordance with the above procedure for the correction of errors. 1.3.19 Bid Evaluation and Comparison of Bids Technical proposals will be evaluated and will form the basis for bids comparison. All tender responses will be evaluated in two phases:-

a. Detailed technical evaluation to determine administrative compliance, technical compliance and support responsiveness of the vendor.

b. Financial evaluation to consider pricing competitiveness and the financial capability of the vendors.

Once the bids are opened, bid evaluation will commence. In the event that the bank may need to visit client site, vendors will be notified in writing. The bank may also make surprise unannounced visits to the vendors offices to verify any information contained in the bid document. All visits are at the discretion of the bank. Vendors may also be called upon to make brief and short presentations and/or demos on their services before a panel constituted by the bank.


SECTION 2 : SCOPE OF WORK - Security Operations Center (SOC) Services

2.1 Master Scope Managed Services - Security Operations Centre (SOC) covering end-to-end security operations

Service Provider shall supply of skilled manpower for Security Operations Center (SOC) operations over a period of three years (36 months) at KCB location as detailed in this section. All Resources should be on the payrolls of the bidder. Service provider shall ensure uptime & availability of SIEM & Security Tools. Service provider resources are expected to deliver SOC services including but not limited to performance monitoring, performance tuning, optimization, and maintenance of SIEM & security tools, also SIEM log backup, troubleshooting, security monitoring, security product management, vulnerability assessment and penetration testing, application security testing and Malware Monitoring. The detailed SOC Reports formats will be discussed and finalized with L1 bidder.

Note: The Managed-Security Operation Center will offer

• Security incident and event management o 24/7 security monitoring o Threat intelligence o Log collection and management o Event correlation o Security incident response

• End-point security

o Anti-virus management o File integrity o Host intrusion prevention o Network access control

• Network security

o Network intrusion prevention o Firewall management o Email security

• Vulnerability management

o IT infrastructure vulnerability scanning o Web application scanning o Remediation and reporting o Policy compliance

• Data security

o Encryption o Data Leak Prevention (DLP)


o Web content filtering

• Identity and Access Management (IAM) o User provisioning o Access control o Entitlement review o Governance and compliance o Reporting

The selected SOC partner under this RFP will deliver services mentioned above, as per the following service categories: 2.1.1 Security Monitoring Services: This service will help KCB to monitor for security events throughout its network by analysis of logs from all servers, devices and key applications in KCB. The security monitoring service will have following components: a. 24X7 log monitoring for identified devices and applications.

b. Rapid response to incidents & forensics.

2.1.2 Security Product Management: This service will help KCB to centralize the management of security products like RSA enVision, Tripwire, McAfee DLP, Websense Content Filter, Tivoli enterprise manager(TEM), Imperva Secure sphere DAF/WAF, T24 Fraud Monitoring Tool, Mail marshal and to have tight control on the security rules. Services will also include Security products procured in future. The services will include-

a. Configuration, fault, performance and availability management

b. Co-ordination with internal teams for rule base management 2.1.3 Vulnerability Management Services: This service will help KCB to centrally assess and mitigate the security risks in its network, servers & devices on a continuous basis. The service will include-

a. Set up a baseline security level for KCB assets.

b. Conduct VAPT and Application Security tests as in when required. Bidder has to provide tools / utilities and skilled resources to conducting them. The bidder’s (SOC) team has to provide steps for closure of findings & provide reports on daily basis till closure. c. Assess the current environment against this baseline on a periodic basis

d. Ensure that the baseline is maintained on an on-going basis and hence assets are secured against risks.

e. Track the mitigation and coordinate with asset owners for closure of security gaps.


f. The Bidder should perform the Application Security Scans. The team has to report and certify the application go live. 2.1.4 Malware Monitoring Services: This service will help Organization mitigate the website related risks on continuous basis. The service will include-

a. 24X7 malware scanning of critical websites

b. Coordinate rapid response

c. Forensics analysis

2.2 SIEM & Security Tools implementation GAP Analysis Services (onetime) The Bidder should perform gap analysis of the SIEM & Security Tools implementation to ensure it meets best practices and KCB requirements.

Type of Engineer/ Requirements

SOC L1 Support Engineers SOC L2 Support Engineers Total

Nairobi /Kencom Location

5 2 7

Skills, Requirements

• BSC. Computer Science • BsBsc. Engineering • Bsc. Mathematices. • Bsc. General • Minimum of two years’

experience SOC services conducting security device administration & management.

• Minimum 1 year in operating a SIEM product and other security tools.

• CEH certified Preferred.

B.E. /B.Tech / BSC. - Total 5 Years of experience out of which, minimum 3 years’ experience in SOC services conducting security device administration & management and minimum 2 years in SIEM tool & other security tools. - Certification in at least one industry leading SIEM product and other leading certifications in security, such as CISA, CEH, CISSP, CISM, CRISC.

Please Note: - 1. SOC delivery model may be onsite/offsite and/or hybrid 2. The SOC skilled manpower requirement is for 7 FTEs. However, KCB reserves the right to increase / decrease this number, anytime during the contract period. 3. The Bidder is expected to quote for the supply of manpower for minimum of these 7 FTEs for SOC operations. The job descriptions, responsibilities and skill sets are as per this document. 4. The L1 resources are expected to work in three shifts 24 X 7. L2 resources are expected to work in 2 shifts to cover maximum peak business hours.


Days Weekdays Weekends Morning (6am -3pm) 3 2 Afternoon (2pm – 11pm) 3 2 Night (10pm – 7am) 2 2 Single Point of Contact The short listed L1 Bidder shall appoint a single point of contact with whom KCB will deal with for any activity pertaining to the requirements of this RFP.

2.3 Detailed Technical Specification 2.3.1 Security Monitoring Services Bidder should provide services for 24x7 monitoring of Operating systems, web servers, databases, network devices, security devices and business applications. The services will include review of the logs generated from servers and applications in real time to detect suspicious activities and potential attacks. Immediate response action will need to be initiated by the Bidder to stop the attacks. Bidder will provide the services using the SIEM platform procured by KCB and through its dedicated personnel & processes based out of the Security Operations center of KCB. The onsite team should be supported for various services by the Bidder‟ s SOC or backend team as required. The scope of services and its specification are given below.- Bidder proposals should include description of its process & methodology to offer these services, sample service output (log baselines, report formats), experience with similar environments and resume of skilled personnel who will be allocated towards this service. 2.3.1.1 Asset Scope The assets configured and included in SIEM & Security Tools are those will be in the scope for security monitoring. Bidder has to ensure that the services provided by it for security monitoring covers the above assets as per the service specification, deliverables and SLA described in the following section. 2.3.1.2 Service Specification The security monitoring service to be provided by the Bidder should meet the following specifications.

# Requirements 1 Bidder should monitor security logs to detect malicious or abnormal events

and raise the alerts for any suspicious events that may lead to security breach in KCB environment. Monitoring should be done on 24/7 basis with onsite personnel. Bidder should provide the personnel for managing the security monitoring service as per the team specifications in scope of work.

2 Bidder should develop, update and maintain log baselines for all platforms at KCB that are required to be monitored.


3 Bidder should coordinate with IT operations to implement and maintain the log baselines on production systems

4 Bidder should detect both internal & external attacks. In addition to security attacks on IT infrastructure, Bidders should also monitor for security events on business applications, databases and also identify network behavior anomalies.

5 Bidder should monitor, detect and manage incidents for the following minimum set of IT infrastructure security events. This is indicative minimum list and is not a comprehensive/complete set of events. Bidders should indicate their event list in proposal response. Buffer Overflow attacks Port & vulnerability Scans Password cracking Worm/virus outbreak File access failures Unauthorized server/service restarts Unauthorized changes to firewall rules Unauthorized Bidder access to systems SQL injection Cross site scripting

6 Bidder operations team at KCB should send alerts with details of mitigation steps to designated personnel within KCB and any identified service provider of KCB.

7 Bidder should provide coordinated rapid response to any security incident. Bidder should contain attack & coordinate restoration of services. While Bidder personnel will enlist support of other departments and service providers in KCB, primary responsibility for incident response will be with the Bidder.

8 Bidder should maintain a knowledge base of alerts, incidents and mitigation steps and this knowledge base should be updated with evolving security events within and outside KCB. Team should send customized alerts advisories to respected teams in KCB.

9 Evidence for any security incident should be maintained in tamper proof manner and should be made available for legal and regulatory purposes, as required.

10 Bidder should add/delete/modify rules, reports and dashboards based on KCB requirements

11 Bidder should provide MIS reports to KCB on daily, weekly and monthly basis. Reporting requirements will be finalized with the selected Bidder. Bidder should also have the provision to provide reports on demand whenever required by KCB.

12 Bidder should conduct forensic analysis for security incidents to enable identification of perpetrators and their methodologies.

13 Bidder should do root cause analysis for security incidents and coordinate implementation of controls to prevent recurrence.

14 Bidder should carry out system administration tasks including regular backup of system, restoration, installation, health check and others

15 Bidder should manage any faults in the SIEM solution by trouble shooting and


coordinating with the OEM/principle 16 Bidder team Analyst(s) and program manager are responsible for managing

the security monitoring team and ensuring satisfactory performance 17 All deliverables including reports should undergo Quality Assurance process.

Bidder team lead should define quality metrics, measurement frequency and reporting periodicity in consultation with KCB

18 Analyst should review reports, operating procedures, administrative activities on a daily basis to identify quality issues

19 Analyst should submit periodic Quality Assurance reports to KCB as per the reporting frequency designed.

20 Bidder should provide backend support to the onsite team from its own SOC. Such support at the minimum include 1. Managing escalations from onsite team for detection & response to new threats & complex attacks that onsite team is unable to resolve. 2. For adding new/updated threat scenarios and other best practices in KCB’s SIEM tool for detection & response based on Bidder SOC visibility & experience across other customers. 3. Forensic analysis of attacks/incidents including making available specialists, domain experts, tools.

21 Bidder should ensure continuous training and best practice updates for onsite team from its backend resources.

22 Bidder should provide a proactive solution to identify problems. 23 Bidder should provide incident tracking and management solution, which:

- Should have the feature to Log Problems. - Categorization and Prioritization of problems should be possible. - Should have feature to auto assign Tickets. - Should have facility to assign tickets based on policy and workflow rules and should have at least 5 escalation levels. - Should have a feature to cascade and Organize rules. - Users/technicians must be notified for pending requests. It should have the feature to create rules for such notifications - Should be possible to send personalized E-mails to users - Should be possible to send notification emails to the requester - Should Converge all IT help desks in your business units across buildings/complexes or countries, to function as a single help desk. - Should customize the holidays, departments, technicians /site associations, groups, business rules and SLA's as per the location's operational hours - Should Enables the requests logged in from each site to be resolved within that particular site's operational hours. - Automatically reset the end-users password without the involvement of helpdesk technicians. - - Support integration with LDAP and Active Directory

2.3.1.3 Deliverables

Bidder should meet the service specifications mentioned above. Along with meeting service specifications Bidder should provide the following Deliverables as per SLA mentioned below


# Area Expected Output SLA 1 Event

monitoring

24X7 monitoring for identified assets and 24X7 response for any events Detection of internal & external attacks, suspicious events or abnormal behaviour against pre-defined baseline for network, applications and databases Recommend mitigation steps for alerts Alert categories and their prioritization and reporting format as per mutually approved process & escalation matrix

Sending alerts with mitigation steps to designated personnel: 15 min: Very high priority events 30 min: High priority events 60 min: Medium priority events Alerting method: Email/SMS/Call: Very high priority events Email/SMS: High priority events Email: Medium Priority events

2 Incident Management & Forensics

Coordinated rapid response to any security incident Contain attack & restore services Forensic analysis & report Root cause analysis report and long term security control identification Evidence collection and retention for legal and regulatory purpose Log retention and repository of incident knowledge base

Providing initial response to incidents: 60 min: Very high priority incidents 90 min: High priority incidents 120 min: Medium priority incidents Providing report with root cause analysis: 24 hours: Very high priority incidents 48 hours: High priority incidents 72 hours: Medium priority incidents Availability of logs relevant to reported events/ incidents for the period of: 12 months Retention of all logs for a period of one year


Repository of incidents and mitigation knowledgebase

3 Reports Timely submission of daily, weekly and monthly reports Multiple types of reports, an indicative list is given below:- Daily reports including firewall change reconciliation, unauthorized database admin access, referrer log brand misuse reports, anti-virus policy non-compliance, unauthorized service provider access, privilege misuse/escalation Weekly reports including persistent top attackers, attacks, attack targets, trend analysis Monthly MIS reports, executive representation for top management, trend analysis Reports as defined by KCB from time to time.

Daily Reports: By 12:00 PM Weekly Reports: By 10:00 AM : Monday Monthly Reports: By 5th of each month

2.4 Security Product Management

Bidder should manage security products from KCB SOC. The product that needs to be covered include: RSA enVision, Tripwire, Mcafee DLP, Netguadians T24 fraud monitoring tool, Imperva Secure sphere DAF/WAF, and any new product procured. Bidder should configure policies, manage backup/restore, manage faults and monitor performance of these products. The Bidder should be dedicated for the same with team structure as described in the table for operations team structure in this section. The onsite team should be supported for various services by the Bidder’s SOC or backend team as required.

Bidder should bring the required processes & methodologies for security product management as per the scope (as well as any additional tool that KCB currently do not have) and service specifications given below. Bidder proposals should capture process & methodology to offer these services, sample service output (product configuration baselines, report formats), experience with similar environments and resume of skilled personnel who will be allocated towards this service.


2.4.1 Asset Scope

Please refer Section on - Asset Scope

2.4.2 Service Specification

The security device management service to be provided by the Bidder should meet the following specifications. Bidder should provide compliance status and remarks for any deviations.

# Requirement 1 Management of products in scope for policies, configurations, availability,

fault and capacity management during business hours 2 Open a case with OEM /product support for all faults. Coordinate with OEM

/product support for resolution. Communicate status to KCB on a regular basis 3 Reviews SLA’s with OEM /product support and recommend measures to

improve the service levels. 4 Maintain IP addressing schemes, routing information, routing tables for security

device operations 5 Provide recommendations for architecture enhancements/changes that can

enhance the security posture 6 management of the security products for policy changes including rule

changes, signature updates arising from business requirements or in the event of attacks

7 Provide KCB with a root cause analysis of downtime due to faults, security events including preventive measures being taken to prevent future similar incidents and outages

8 Coordinate delivery with all stake holders including help desks, network team, IT team, application team and all appropriate third parties, as necessary, for the management of products in asset scope

9 Maintain security product configuration, based on industry best practices and as requested, for the products within the Asset Scope

10 Maintain complete documentation and architecture layout for all products with site deployment layout

11 Participate in technical and business planning sessions to establish security standards, architecture and project initiatives where the security products may impact or improvise the design

12 Provide infrastructure security planning & analysis, recommendations for installation and upgrade of products in scope

13 Tracking/Alerting the required license, software subscription for all hardware & software components of devices in scope

14 Bidder should analyze performance reports and formulate plan for capacity addition

15 Provide technical expertise/support for audits on the products in scope 16 Set up and manage admin and user accounts. Perform access control on

need basis

17 Take the backup of product configuration files any time there is a change in device configuration

18 Review the backup configuration and business continuity procedures to be


followed in the event of device failure

19 Submit the Periodic Reports on the backup status

20 Restore configuration in the event of product crash, corruption or other failure

21 Design and program manage new device implementations 22 Bidder should provide backend support to the onsite team from its own SOC.

Such support at the minimum include • Escalations from onsite team for specialist support on security product

categories to resolve faults, configuration related issues • Share best practices on product configuration standards & policies with

onsite team


24 The following activities has to be carried out specifically for the DLP system in scope: 1. Identify the sensitive data that needs to be protected by DLP in discussion with KCB. 2. Discover sensitive data by periodically scanning servers and endpoints of KCB. 3. Design, configure and fine tune DLP policies to protect sensitive data in accordance with KCB requirements. 4. Design and configure DLP reports and dashboard. 5. Generate daily, weekly, monthly DLP reports as required. 6. Monitor and analyze DLP alerts and perform incident management.

25 The following activities has to be carried out specifically for the PIM solution in scope: 1. Conduct role engineering to design the access policies for servers and network devices 2. Configure and fine tune access policies for servers and network devices 3. Configure end user accounts and associated access policies and manage their privileges 4. Design and configure PIM reports and dashboard 5. Generate daily, weekly, monthly PIM reports as required 6. Monitor and analyze PIM alerts and perform incident management Analyze PIM recordings for incident analysis

26 The following activities has to be carried out specifically for the FIM solution in scope: 1. Identify the files to be monitored across servers/network devices based on best practices, regulatory/standards requirements and KCB requirements. 2. Identify configuration audit requirements 3. Design, configure and fine tune the FIM and Configuration audit policies for the identified files and configuration items to be monitored. 4. Design and configure FIM reports and dashboard. 5. Generate daily, weekly, monthly FIM reports as required. 6. Monitor and analyze FIM alerts and perform incident management.


27 Create or migrate users from LDAP/ User repository to the Two factor

authentication server

28 Carry out token life-cycle management procedures such as 1. User Token provisioning procedure 2. Modification of two-factor authentication privileges for end user owing to change in job role 3. Token revocation on exit or termination Carry out Help desk procedures such as 1. Reporting lost tokens 2. Returning faulty, damaged or expired tokens 3. Enabling emergency access for permanently lost, damaged or expired tokens 4. Inventory management

2.4.3 Deliverables

Bidder should meet the service specifications mentioned above. Along with meeting service specifications Bidder should provide the following Deliverables as per SLA mentioned below:-

# Area Expected Output SLA 1 Architecture

planning, review & redesign (as required from time to time)

1. Plan & review placement of servers in the network segments 2. Plan & review Device segmentation 3. Plan & review authentication schemes 4. Plan & review integration with other security components 5. Oversight for new device implementation

Completion of activities within mutually agreed upon timelines

2 Policy & user Management

1. Risk Analysis and policy design 2. Configuration of polices 3. Document policy change 4. Policy optimization for all the Devices 5. Audit policy for exceptions 6. Set up and manage admin and user accounts as per policies of KCB 7. Interact with network team for managing escalations with NOC

Emergency Changes: 30 min: Acknowledgement of change request 60 min: Implementation of change requests Routine Changes: 4 hours: Acknowledgement of change requests 8 hours: Implementation of


change requests

3 Availability and Configuration Management

1. Backup & restoration of configuration 2. Periodic review the backup configuration and business continuity procedures to be followed in the event of Device failure 3. Monitor the availability of devices 4. Root cause analysis for failure/ downtime of security devices 5. Maintain IP addressing schemes, routing information, routing tables, for the Device operations 6. Detailed analysis of miss-configurations, OS/application failures 7. Comply with KCB policies & regulations applicable to KCB 8. Tracking the SLA with product Bidder or reseller, maintenance contract, required license, software subscription for all hardware & software components of Devices.

• Periodic Backup as per KCB's policy

• Backup before and after implementation of any change

• Quarterly report on maintenance contract & software subscription

4 Fault Management 1. Open a case with device supplier in the event of hardware component or system failure or bugs 2. Co-ordinate with device supplier/OEM for solution 3. Review the device supplier/OEM SLA for recommending measures to improve the service levels 4. Track AMC renewal dates 5. Root cause analysis for any failures / downtimes

- Open a ticket within 30 minutes of problem identification - Status update every 4 hours to KCB personnel - Quarterly review of Bidder SLA

5 Device migration/update

1. Prepare and review capacity plans for security devices and recommend upgrades as required.

- Quarterly analysis report as per KCB's specified format - Version upgrades within 3 months from release of new


2. Provide security infrastructure analysis, recommendations for installation and upgrade 3. Prepare specifications, architecture and detailed plan for migration/upgrade 4. Test migration/upgrade plan in staging environment

version

2.5 Vulnerability Management Services

Vulnerabilities in an asset, including missing patches and insecure configuration, can lead to security compromises. KCB plans to set up a strong vulnerability management process that is centralized and continuous for assessing security gaps across its IT infrastructure.

Under vulnerability management plan, KCB requires risk based vulnerability scanning and secure configuration assessments. The frequency and depth of scan and assessments will be determined by the asset criticality and its risk exposure. KCB requires the Bidder to execute vulnerability assessments both scanning & configuration assessments, as per the scope given below, from the KCB's SOC. Bidder should deploy its team processes and methodologies at KCB's SOC for carrying out the activities. The Bidder team should be dedicated for the same with team structure as described in the table for operations team structure in this section. The onsite team should be supported for various services by the Bidder’s SOC or backend team as required.

Bidder proposals should capture process & methodology to offer these services, sample service output (baselines, report formats), experience with similar environments and resume of skilled personnel who will be allocated towards this service.

2.5.1 Asset Scope All the present and future application platforms of KCB are in scope for scanning & configuration assessment. 2.5.2 Service Specification The Vulnerability management service to be provided by the Bidder should meet the following specifications. Bidder should provide compliance status and remarks for any deviations.

# Requirements

1 Bidder should conduct scanning & configuration assessments as per frequency defined in the asset scope table

2 Configuration assessments should check for compliance against the secure baseline and SANS, NIST, CIS, KCB baselines, CERT-IN, CBK, guidelines as


updated from time to time. 3 Configuration assessment of OS should check for the items given below. This is a

minimum indicative list and Bidders are encouraged to check for more settings in line with best practices (SANS, NIST, CIS, KCB baselines, CERT-IN, CBK, ): - Shares with insecure permission - Permissions to critical system files and folders - Audit log settings - Space allocated for Event Viewer logs - SNMP community strings - Password and account lockout policies - Non-essential services check - TCP/IP stack settings - User rights assignment - Latest Service Pack installation - Latest security patches installation - Antivirus software

4 Configuration assessment of database should check for the items given below. This is a minimum indicative list, Bidders are encouraged to check for more settings in line with best practices(SANS, NIST, CIS, KCB policies, CERT-IN, CBK, ) - Default passwords - DBLINK Encrypt Login Option - Allocation of Unlimited Table space - Temporary and Default Table space Management - Unrestricted access to services - Web based access to database using iSQL * Plus - Run time modification of the listener service - Look for latest version - Test for secure authentication mechanism - Latest version not installed

5 Configuration assessment of network & security devices should check for the items given below. This is a minimum indicative list, Bidders are encouraged to check for more settings in line with best practices(SANS, NIST, CIS, KCB Baselines, ) - Access Control - System Authentication – remote administration security, password security - Auditing and Logging - Insecure Dynamic Routing Configuration - Insecure Service Configuration – Unnecessary services running, SNMP service security - Insecure TCP/IP Parameters – source routing, IP directed broadcasts, UDP broadcast forwarding - Latest version not used

6 Scanning should check for the items given below. This is a minimum indicative list, Bidders are encouraged to check for more settings in line with best practices including PCI, OSSTM, KCB Baselines, CERT-IN, - Tests for default passwords - Tests for DoS vulnerabilities - Test for buffer overflows - Test for directory Traversal - Test for insecure services such as SNMP - Check for vulnerabilities based on version of device/server - Test for SQL, XSS and other web application related vulnerabilities


- Check for weak encryption - Check for SMTP related vulnerabilities such as open mail relay - Check for strong authentication scheme - Test for sample and default applications/pages - Check for DNS related vulnerabilities such as DNS cache poisoning and snooping - Test for information disclosure such as internal IP disclosure - Look for potential backdoors - Check for older vulnerable version - Remote code execution - Weak SSL Certificate and Ciphers - Missing patches and versions

7 The Bidder team should work with KCB personnel or its other outsourced partners for remediation of vulnerabilities. Bidder team should provide support for testing recommendations in UAT, prepare plan for implementation in production and provide support for production rollout

8 Bidder should conduct a confirmatory audit to confirm the remediation action that has been taken by relevant operations teams at KCB

9 All deliverables including reports should undergo Quality Assurance process. Project Manager should define quality metrics, measurement frequency and reporting periodicity in consultation with KCB

10 Bidder should provide backend support to the onsite team from its own SOC. Such support at the minimum include 1 Escalations from onsite team for specialist support on detected vulnerabilities & solutions for mitigation. 2 Share best practices on configuration standards, new vulnerability checks with onsite team.


2.5.3 Deliverables Bidder should meet the service specifications mentioned above. Along with meeting service specifications Bidder should provide the following Deliverables as per SLA mentioned below

# Area Expected Output SLA 1 Secure

Configuration assessment

Carry out secure configuration assessments as per the asset list, frequency provided and test criteria. Submit assessment reports, containing the following 1. Executive summary 2. Benchmark with SANS, NIST, CIS, KCB Policies, CERT-IN, 3. Categorization of vulnerabilities based on risk level 4. Details of security vulnerabilities 5. Emergency quick-fix solution for discovered vulnerabilities 6. Long-term solution for

Meet assessment periodicity given in asset scope section Meet quality criteria defined by KCB on configuration checks and report formats


discovered vulnerabilities 7. Post correction assessment findings

2 Vulnerability Scanning

1. Carry out vulnerability scanning and asset discovery scanning as per the asset list, frequency provided and test criteria. 2. Submit report containing the following 3. Executive summary 4. Benchmark with PCI, OSSTM 5. Categorization of vulnerabilities based on risk level 6. Details of security vulnerabilities 7. Emergency quick-fix solution for discovered vulnerabilities 8. Long-term solution for discovered vulnerabilities 9. Post correction assessment findings

Meet scanning periodicity given in asset scope section Meet quality criteria defined by KCB on scanning checks and report formats

3 Mitigation support

Bidder should track mitigation for the reporting findings of scanning and assessment activities.

Updated information on mitigation status. Timely query resolution on mitigation recommendations

2.6 Malware Monitoring Services Bidder should provide an online solution for malware scanning for scanning KCB’s web sites. Bidder should bring the required tools, processes and methodologies. Bidder should protect the Organization from license & IP related issues. Bidder proposals should capture process & methodology to offer these services, tool description, sample service output (report formats), experience with similar environments and resume of skilled personnel who will be allocated towards this service. 2.6.1 Asset Scope All unique web sites / web applications hosted by KCB. 2.6.2 Service Specification The web malware scanning service to be provided by the Bidder should meet the following specifications. Bidder should provide compliance status and remarks for any deviations.

# Description 1 24X7 monitoring for Malicious Mobile Code(MMC) and malware infection of

websites as given in asset scope 2 Real time detection of MMC/malware infection/injection


3 Solution should be a tool based automated solution including the following features: - Spider sites in scope on a continuous basis. - Detect & alert for malware infection. - Baseline website and detect malicious changes to website. - Detect malicious links including ones pointing to other sites with malware or ones that are pointing to malware uploaded in the same site. - Detect malicious java scripts, flash content. - Analyze HTML tags for malicious entries. - Check URLs against global blacklist databases. - Scan spider pages with industry leading anti-virus/anti-spyware. - Support reporting in different formats including PDF reports.

4 Solution should be implemented onsite at KCB and integrate with all websites under the scope.

5 Solution should support scanning to a depth of at least two pages and expanded to higher depth based on risk level of the site.

6 Solution should support scanning of static and dynamic links. 7 Bidder should report and engage the team to takedown MMC/malware

injection server once it is identified as the source after proper approval. 8 Bidder should manage incidents for MMC/malware infection/injection including

solution, coordination for recovery in the shortest possible time. 9 Solution should be independent of application platform of the website. 10 Bidder should provide online security dashboard to capture security status of

monitored websites and also to track mitigation status of infected sites 11 Bidder should provide backend support to the onsite team from its own SOC.

Such support at the minimum include Alert & support onsite team in scenarios where there is a sudden increase in phishing or malware attacks across other Organizations as seen by Bidder SOC Any software development work for automation of workflows, integration with service desk or development of dashboard/ reporting templates or testing tool development


2.6.3 Deliverables

Bidder should meet the service specifications mentioned above. Along with meeting service specifications Bidder should provide the following Deliverables as per SLA mentioned below

# Area Expected Output SLA 1 Malware scanning

services

Alert Organization on web based malware on KCB sites being monitored Alert Organization of existence of Blacklisted links on KCB sites being monitored Alert Organization of potentially malicious website changes on KCB sites being monitored Incident Management for

Inform KCB team via Email/SMS within 30 min of detection of malware, unauthorized change or Blacklisted Link First level incident management response within 60 minutes of alerting


malware incidents including providing emergency response, identify root cause and provide solution, coordinate with Organization‟ s Bidders as needed

KCB team

2 Security Dashboard Online dashboard to capture security status of monitored websites and also to track mitigation status of infected sites

Deliver and maintain the dashboard as required by the Organization Upgrade and provide new features to support evolving needs at the Organization within agreed upon time. Update with new data as required

2.7 SIEM & Security Tools implementation GAP analysis Services (onetime)

# Description 1 The Bidder should perform gap analysis of the SIEM implementation to ensure it

meets best practices and KCB requirements. 2 The audit should check the adequacy of log baselines for the devices being

monitored. 3 The audit should check if the use cases meet best practices and KCB

requirements. 4 The audit should check if the SIEM is implementation has met all system

requirements specified by the OEM. 5 The audit should check if SIEM configuration is as per best practices and KCB

requirements. 6 Ensure that log collection server installation and configuration is proper. 7 Identify the level of logs to be enabled across the different components of IT

infrastructure. 8 Support the IT team with the required information to bridge the gap.

9 Define the required rules, alerts, reports and dashboards as relevant to meet

the highest levels of security for KCB. 10 Suggest Event correlation design which includes the attributes like events, asset,

vulnerability, business value in the threat calculation. 11 Recommend method of making Evidence for any security incident available for

legal and regulatory purposes.

2.8 Reporting KCB requires Bidders to provide relevant consolidated as well as individual reports of all activities performed by the Bidder to the top management of KCB. The security reporting service to be provided by the Bidder should meet the following specifications. Bidder should provide compliance status and remarks for any deviations.


# Description

1 Bidder should provide detailed MIS reports to KCB on a monthly basis

2 Bidder should provide quarterly update through a senior resource on activities, security posture of KCB to key stakeholders

2.8.1 Deliverables

Bidder should meet the service specifications mentioned above. Along with meeting service specifications Bidder should provide the following Deliverables as per SLA mentioned below.

# Area Expected Output SLA 1 Consolidated MIS report

across all services rendered

NCPI Security Status

Activity snapshot

2 - Operational Enhancements Issues & Action Items

Presenting regular status reports

2.9 Other Requirements

# Description

1 Selected Bidder should conduct security training (not certification training) for the KCB onsite team members once in six months. This training program would cover mutually agreed training agenda on the e-security products & technologies, the cost of which will be borne by the Bidder

2 Bidder should provide quarterly management briefing to KCB's senior management team on the project benefits, security risks and global threats facing financial institutions.

3 Bidder should provide relevant support for external and internal security audits that KCB is subject to from time to time

4 Bidder should support POCs or evaluation of new technologies or tools relevant to services within this RFP from time to time

5 Bidder should prepare the SOC operations for compliance and certification to the standards of ISO 27001, ISO 20000, BS 25999 and PCI DSS

6 Project plan for delivering these services and resource ramp up required for project execution will be mutually decided by Bidder & KCB. KCB will approve all such plans and project execution should be carried out only based on approval from KCB

7 All architecture design, report formats and implementation methodology


mentioned in this RFP should be in consultation with KCB and should be approved before finalization.

8 All personnel to be deployed under the contract for the full period of service will need to be approved by KCB. KCB reserves the right to reject any person and ask for suitable replacement.

9 Bidder should provide background clearance certificate from reputed agencies for all personnel deployed at KCB. KCB may also carry out background checks on personnel deployed at KCB by itself or any appointed agency, if required. Bidder should provide support as required for such background checks.

10 No part of the service should be outsourced by the Bidder to any third party or contractors for execution. All personnel provided by the Bidder will have to be full time employees of the Bidder.

11 Bidder will submit detailed SLA compliance report on a quarterly basis. SLA report will be discussed with nominated personnel from KCB and any breach of SLA will lead to service penalties.

12 For any slippage in SLA in a quarter by the Bidder, it should create a rectification plan and get it approved by KCB. If the same SLA is not met in subsequent quarter, KCB will impose a service penalty, equivalent to 15 days of additional service (pertaining to the said SLA) to be provided by the Bidder at no cost to KCB. If the particular SLA violation is not rectified in 3rd quarter, KCB will impose financial penalty equivalent to 10% of the service cost. Detailed clauses on SLA and penalty will be entered into during the contracting phase with selected Bidder.

13 Apart from SLA reviews, KCB may also conduct performance reviews at mutually agreed schedules, dates and locations and representatives from both KCB and Service Provider should attend such performance review meetings

14 For any major or repeated failure of SLA or any deficiency in the service performance that causes or is likely to cause significant impact to KCB's operation or reputation, KCB reserves the right to impose, including cancellation of whole or part of contract, irrespective of any SLA penalty mentioned above.

15 KCB should be able to verify performance of each of the above services. Bidder should maintain evidence, logs or proof of such performance throughout the contract period

16 KCB reserves the right to audit the Bidder either by itself or through any appointed entity. Bidder must provide full cooperation for audit of services in the scope of this RFP.

17 The prices quoted by the Bidder should be all inclusive of people cost, cost of processes, methodologies and tools used by the Bidder and the cost of backend services provided from its own SOC. Any out of station (outside city) travel expenses for the onsite team of the Bidder for executing KCB's work will be borne by KCB.

18 Selected Bidder has to provide Performance Bank Guarantee equivalent to the cost of services for one year, valid for 5 years from a Public Sector Organization before claiming the first payment


19 Cancellation of Order: KCB reserves its right to cancel the Purchase Order at any time, in the event of breach of contract or serious deficiency in the service or for any other reason. In addition to the cancellation of Purchase order, KCB reserves the right to invoke the Bank Guarantee given by the Service Provider to recover the damages

20 Service Transition: Bidder should provide smooth transition of services to another Bidder or internal to KCB as and when the current contract is terminated. This will include transfer of skills and operating processes and procedures. Bidder should maintain documented processes and procedures for all service delivery to ensure smooth internal or external transition.

21 Indemnity: The Service Provider shall indemnify, protect and save KCB against all claims, losses, costs, damages, expenses, action suits and other proceedings, resulting from infringement of any law pertaining to software licenses, patent, trademarks, copyrights etc. or such other statutory infringements or any actions of the employees or agents or deficiency of service of the Service Provider

22 IPR: For any licensed software used by the Bidder for performing service or developing software for KCB, it should have the right to use as well as the right to license for outsourced services or third party software development. Any license or IPR violation on the part of the outsourced Bidder should not put KCB at risk. KCB should reserve the right to audit the license usage of the Bidder or ask for a Bidder undertaking on non-violation of IPR

23 All documentation, service processes, data and methodologies developed by the resources deployed at KCB and for the services delivered to KCB will become the property of KCB. KCB will retain intellectual rights over such property.

24 Restrictions: The Bidder must provide professional, objective and impartial advice and at all times hold KCB's interest paramount, without any consideration for future work, and strictly avoid conflicts with other assignments or their own corporate interests. Bidders shall not be hired for any assignment that would be in conflict with their prior or current obligations, or that may place them in a position of not being able to carry out the assignment in the best interest of KCB.

2.10 DOCUMENTATION REQUIREMENTS All documentation and training materials (both in hard copy as well as a soft copy in pdf format) must be available in order to complete the process, business, technical/system, operations and support acceptance activities.

Supplier’s suggestions for documentation and training materials to support the implementation, use and maintenance of the Automated Audit system and any supporting technology components that will be provided as part of this project are to be included in the Supplier’s proposal. Documentation must be in English.


2.11 TESTING AND ACCEPTANCE Acceptance Criteria: the Bank will accept the proposed deliverable after they have been fully tested by the bank and confirmed to meet the requirement as specified in the original RFP and signed RFP response.

2.12 PROOF OF CONCEPT The bank may require proof of concept of the proposed solution as evidence that it is viable and capable of achieving audit requirements.

2.13 OVERALL RESPONSIBILITY

o The Bidder is obliged to work closely with the Bank's staff, act within its own authority, and abide by directives issued by the Bank that are consistent with the terms of the Contract.

o The Bidder will abide by the job safety measures and will indemnify the Bank from

all demands or responsibilities arising from accidents or loss of life, the cause of which is the Bidder's negligence. The Bidder will pay all indemnities arising from such incidents and will not hold the Bank responsible or obligated.

o The Bidder is responsible for managing the activities of its personnel, or

subcontracted personnel, and will hold itself responsible for any misdemeanors. o The Bidder shall appoint an experienced counterpart resource to handle this

requirement for the duration of the Contract. The Bank may also demand a replacement of the manager if it is not satisfied with the manager’s work or for any other reason.

o The Bidder shall take the lead role and be jointly responsible with the Bank for

producing a finalized project plan and schedule, including identification of all major milestones and specific resources that the Bank is required to provide.

o The Bidder will not disclose the Bank's information it has access to, during the

course of the Consultancy, to any other third parties without the prior written authorization of the Bank. This clause shall survive the expiry or earlier termination of the contract

2.14 PRICING Costs (USD inclusive VAT and other applicable taxes where necessary) and Man/Day estimates, where appropriate. All taxes and VAT amount must be clearly stipulated and separated from the base costs and should be valid for a minimum of 90 days.

2.15 DELIVERY Delivery and performance of the Services shall be made by the successful Bidder in accordance with the time schedule as per Proposal and subsequent Agreement.


2.16 DELAYED DELIVERY AND INSTALLATION CAUSED BY THE SUPPLIER If at any time during the performance of the Contract, the Bidder should encounter conditions impeding timely delivery and performance of the Services, the Bidder shall promptly notify the Bank in writing of the fact of the delay, its’ likely duration and its’ cause(s). As soon as practicable after receipt of the Bidder's notice, the Bank shall evaluate the situation and may at its discretion extend the Bidder's time for performance, with or without liquidated damages, in which case the extension shall be ratified by the parties by amendment of the Contract.

2.17 WARRANTY

The successful bidder shall provide 36 months Warranty for the software and ensure it is free from any sort of defects and shall perform as per expectations. The successful bidder shall provide an option for on-going warranty support beyond the warranty period. Failure to this the supplier will pay damages to the tune of the cost of the solution.

2.18 SUPPORT REQUIREMENTS

The respondent should provide and sign an Annual Maintenance Contract. The respondent should provide toll-free technical assistance 24/7/365. The respondent should provide a summary of Respondent’s resources (support personnel and otherwise) devoted specifically to technical issues, involving notification technology, as well as support procedures.

2.19 BID EFFECTIVENESS

It is a condition of the bank that the vendor guarantees the sufficiency, and effectiveness of the solution proposed to meet the bank requirements as outlined in this document. The Bank will hold the vendor solely responsible for the accuracy and completeness of information supplied in response to this tender. The bank will hold the vendor responsible for the completeness of the solution proposed and that were the vendor to be awarded the tender, they would implement the solution without any additional requirements from the bank.

2.20 PAYMENT TERMS The bank will NOT make any payments in advance. The Bank will issue an LPO for all the equipment and/or services ordered. The LPO will be paid within 45 days after delivery, testing installation and acceptance of the equipment and/or services supplied.

The bank will not accept partial deliveries and neither will the bank make partial payments. Payment for equipment and/or services will only be made once the entire ordered equipment and/or services are delivered, installed and commissioned. NB: KCB SHALL ONLY MAKE PAYMENTS THROUGH A KCB ACCOUNT AND THUS ALL BIDDERS ARE ENCOURAGED TO OPEN AN ACCOUNT


2.21 STAFFING

The Supplier will provide the relevant staff and tools to carry out all the required work under this tender. At least one certified expert (2 in general certification and specialized) and a back-up person are required in the technical areas.

A project/account manager is also required to coordinate and account for all the Supplier’s activities throughout the contract period.

2.22 RESPONSIBILITY AS AN INDEPENDENT CONTRACTOR

The Supplier agrees to take overall responsibility for any services rendered; regardless of whether a third party engaged by the Supplier or the Supplier himself carries them out.

2.23 BUYERS RIGHTS Kenya Commercial Bank (KCB) reserves the right to reject any or all RFP without giving any reasons and KCB has no obligation to accept any offer made. KCB also reserves the right to keep its selection and selection criteria confidential. KCB reserves the right to award the tender in part or in whole to either a single vendor or split the award to multiple vendors in the final award. Bids not strictly adhering to RFP conditions may not be considered by KCB whose decision on the matter shall be final.


SECTION 3 - GENERAL CONDITIONS OF CONTRACT

3.1 Introduction

Specific terms of contract shall be discussed with the bidder whose proposal will be accepted by the Bank. The resulting contract shall include but not be limited to the general terms of contract as stated below from 3.2 to 3.14.

3.2 Award of Contract

Following the opening and evaluation of proposals, the Bank will award the Contract to the successful bidder whose bid has been determined to be substantially responsive and has been determined as the best evaluated bid. The Bank will communicate to the selected bidder its intention to finalize the draft conditions of engagement submitted earlier with his proposals. After agreement has been reached, the successful Bidder shall be invited for signing of the Contract Agreement to be prepared by the Bank in consultation with the Bidder.

3.3 Application of General Conditions of Contract

These General Conditions (sections 3.2 to 3.14) shall apply to the extent that they are not superseded by provisions in other parts of the Contract that shall be signed.

3.4 Bid Validity Period

Bidders are requested to hold their proposals valid for ninety (90) days from the closing date for the submission.

3.5 Performance Security

3.5.1 The Bank may at it’s discretion require the successful bidder to furnish it

with Performance Security in the amount specified in the accepted Bid.

3.5.2 The Performance Security shall be in the form of a bank guarantee

issued by a commercial bank operating in Kenya and shall be in a format prescribed by the Bank. The performance guarantee shall be submitted within 10 days of notification of award.

3.5.3 The proceeds of the Performance Security shall be payable to the

Kenya Commercial Bank as compensation for any loss resulting from the Bidder’s failure to complete its obligations under the Contract.

The Performance Security will be discharged by the Company not later than two months following the date of completion of the Bidder’s performance obligations, and the Bank’s acceptance of the final report as specified in the contract.


3.6 Delays in the Bidder’s Performance

3.6.1 Delivery and performance of the Supply, installation and Maintenance of Signage shall be made by the successful Bidder in accordance with the time schedule as per Agreement.

3.6.2 If at any time during the performance of the Contract, the Bidder should

encounter conditions impeding timely delivery and performance of the Services, the Bidder shall promptly notifies the Bank in writing of the fact of the delay, its likely duration and its cause(s). As soon as practicable after receipt of the Bidder's notice, the Bank shall evaluate the situation and may at its discretion extend the Bidder's time for performance, with or without liquidated damages, in which case the extension shall be ratified by the parties by amendment of the Contract.

3.6.3 Except in the case of “force majeure” as provided in Clause 3.13, a delay by

the Bidder in the performance of its delivery obligations shall render the Bidder liable to the imposition of liquidated damages pursuant to Clause 3.8.

3.7 Liquidated damages for delay

The contract resulting out of this RFP shall incorporate suitable provisions for the payment of liquidated damages by the bidders in case of delays in performance of contract.

3.8 Governing Language The Contract shall be written in the English Language. All correspondence and other documents pertaining to the Contract which are exchanged by the parties shall also be in English.

3.9 Applicable Law This agreement arising out of this RFP shall be governed by and construed in accordance with the laws of Kenya and the parties submit to the exclusive jurisdiction of the Kenyan Courts.

3.10 Bidder’s Obligations

3.10.1 The Bidder is obliged to work closely with the Bank's staff, act within its own

authority, and abide by directives issued by the Bank that are consistent with the terms of the Contract.

3.10.2 The Bidder will abide by the job safety measures and will indemnify the Bank

from all demands or responsibilities arising from accidents or loss of life, the cause of which is the Bidder's negligence. The Bidder will pay all indemnities arising from such incidents and will not hold the Bank responsible or obligated.


3.10.3 The Bidder is responsible for managing the activities of its personnel, or subcontracted personnel, and will hold itself responsible for any misdemeanors.

3.10.4 The Bidder will not disclose the Bank's information it has access to, during the

course of the work, to any other third parties without the prior written authorization of the Bank. This clause shall survive the expiry or earlier termination of the contract.

3.11 The Bank’s Obligations In addition to providing Bidder with such information as may be required by the bidder the Bank shall,

(a) Provide the Bidder with specific and detailed relevant information (b) In general, provide all relevant information and access to Bank's premises.

3.12 Confidentiality

The parties undertake on behalf of themselves and their employees, agents and permitted subcontractors that they will keep confidential and will not use for their own purposes (other than fulfilling their obligations under the contemplated contract) nor without the prior written consent of the other disclose to any third party any information of a confidential nature relating to the other (including, without limitation, any trade secrets, confidential or proprietary technical information, trading and financial details and any other information of commercial value) which may become known to them under or in connection with the contemplated contract. The terms of this Clause 2.15 shall survive the expiry or earlier termination of the contract.

3.13 Force Majeure

(a) Neither Bidder nor Bank shall be liable for failure to meet contractual

obligations due to Force Majeure. (b) Force Majeure impediment is taken to mean unforeseen events, which occur

after signing the contract with the successful bidder, including but not limited to strikes, blockade, war, mobilization, revolution or riots, natural disaster, acts of God, refusal of license by Authorities or other stipulations or restrictions by authorities, in so far as such an event prevents or delays the contractual party from fulfilling its obligations, without its being able to prevent or remove the impediment at reasonable cost.

(c) The party involved in a case of Force Majeure shall immediately take reasonable steps to limit consequence of such an event.

(d) The party who wishes to plead Force Majeure is under obligation to inform in writing the other party without delay of the event, of the time it began and its probable duration. The moment of cessation of the event shall also be reported in writing.

(e) The party who has pleaded a Force Majeure event is under obligation, when requested, to prove its effect on the fulfilling of the contemplated contract.


SECTION 4 – ANNEXURES ANNEX 1 – REFERENCES

References of similar services for organizations similar to KCB in size and complexity are preferred:-

1. Prior Services Performed for:

Company Name:

Address:

Contact Name:

Telephone Number:

Date of Contract: Length of Contract:

Description of Prior Services (include dates):


Company Name:

Address:

Contact Name:

Telephone Number:




Company Name:

Address:

Contact Name:

Telephone Number:




ANNEX 2 – TECHNICAL SPECIFICATIONS COMPLIANCE MATRIX 1. Security Monitoring Services 1.1 Service Specification The security monitoring service to be provided by the Bidder should meet the following specifications. # Requirements Compliance

(Yes/No) Remarks

1 Bidder should monitor security logs to detect malicious or abnormal events and raise the alerts for any suspicious events that may lead to security breach in KCB environment. Monitoring should be done on 24/7 basis with onsite personnel. Bidder should provide the personnel for managing the security monitoring service as per the team specifications in scope of work.

2 Bidder should develop, update and maintain log baselines for all platforms at KCB that are required to be monitored.

3 Bidder should coordinate with IT operations to implement and maintain the log baselines on production systems

4 Bidder should detect both internal & external attacks. In addition to security attacks on IT infrastructure, Bidders should also monitor for security events on business applications, databases and also identify network behavior anomalies.

5 Bidder should monitor, detect and manage incidents for the following minimum set of IT infrastructure security events. This is indicative minimum list and is not a comprehensive/complete set of events. Bidders should indicate their event list in proposal response. Buffer Overflow attacks Port & vulnerability Scans


Password cracking Worm/virus outbreak File access failures Unauthorized server/service restarts Unauthorized changes to firewall rules Unauthorized Bidder access to systems SQL injection Cross site scripting

6 Bidder operations team at KCB should send alerts with details of mitigation steps to designated personnel within KCB and any identified service provider of KCB.

7 Bidder should provide coordinated rapid response to any security incident. Bidder should contain attack & coordinate restoration of services. While Bidder personnel will enlist support of other departments and service providers in KCB, primary responsibility for incident response will be with the Bidder.

8 Bidder should maintain a knowledge base of alerts, incidents and mitigation steps and this knowledge base should be updated with evolving security events within and outside KCB. Team should send customized alerts advisories to respected teams in KCB.

9 Evidence for any security incident should be maintained in tamper proof manner and should be made available for legal and regulatory purposes, as required.

10 Bidder should add/delete/modify rules, reports and dashboards based on KCB requirements


11 Bidder should provide MIS reports to

KCB on daily, weekly and monthly basis. Reporting requirements will be finalized with the selected Bidder. Bidder should also have the provision to provide reports on demand whenever required by KCB.

12 Bidder should conduct forensic analysis for security incidents to enable identification of perpetrators and their methodologies.

13 Bidder should do root cause analysis for security incidents and coordinate implementation of controls to prevent recurrence.

14 Bidder should carry out system administration tasks including regular backup of system, restoration, installation, health check and others

15 Bidder should manage any faults in the SIEM solution by trouble shooting and coordinating with the OEM/principle

16 Bidder team Analyst(s) and program manager are responsible for managing the security monitoring team and ensuring satisfactory performance




20 Bidder should provide backend support to the onsite team from its own SOC. Such support at the minimum include 1. Managing escalations from


onsite team for detection & response to new threats & complex attacks that onsite team is unable to resolve. 2. For adding new/updated threat scenarios and other best practices in KCB’s SIEM tool for detection & response based on Bidder SOC visibility & experience across other customers. 3. Forensic analysis of attacks/incidents including making available specialists, domain experts, tools.


22 Bidder should provide a proactive solution to identify problems.

23 Bidder should provide incident tracking and management solution, which: - Should have the feature to Log Problems. - Categorization and Prioritization of problems should be possible. - Should have feature to auto assign Tickets. - Should have facility to assign tickets based on policy and workflow rules and should have at least 5 escalation levels. - Should have a feature to cascade and Organize rules. - Users/technicians must be notified for pending requests. It should have the feature to create rules for such notifications - Should be possible to send personalized E-mails to users - Should be possible to send notification emails to the requester - Should Converge all IT help desks in your business units across buildings/complexes or countries, to function as a single help desk. - Should customize the holidays, departments, technicians /site associations, groups, business rules and SLA's as per the location's operational hours


- Should Enables the requests logged in from each site to be resolved within that particular site's operational hours. - Automatically reset the end-users password without the involvement of helpdesk technicians. - - Support integration with LDAP and Active Directory

1.2 Deliverables Bidder should meet the service specifications mentioned above. Along with meeting service specifications Bidder should provide the following Deliverables as per SLA mentioned below. Indicate Fully Compliant (F); Partially Compliant (P) and Not compliant (N) # Area Expected Output SLA Compliance

(F/P/N) Remarks

1 Event monitoring

24X7 monitoring for identified assets and 24X7 response for any events Detection of internal & external attacks, suspicious events or abnormal behaviour against pre-defined baseline for network, applications and databases Recommend mitigation steps for alerts Alert categories and their prioritization and reporting format as per mutually approved process & escalation matrix

Sending alerts with mitigation steps to designated personnel: 15 min: Very high priority events 30 min: High priority events 60 min: Medium priority events Alerting method: Email/SMS/Call: Very high priority events Email/SMS: High priority events Email: Medium Priority events

2 Incident Management & Forensics

Coordinated rapid response to any security incident Contain attack & restore services Forensic analysis & report

Providing initial response to incidents: 60 min: Very high priority incidents 90 min: High priority incidents


Root cause analysis report and long term security control identification Evidence collection and retention for legal and regulatory purpose Log retention and repository of incident knowledge base

120 min: Medium priority incidents Providing report with root cause analysis: 72 hours: Very high priority incidents 96 hours: High priority incidents 120 hours: Medium priority incidents Availability of logs relevant to reported events/ incidents for the period of: 12 months Retention of all logs for a period of one year Repository of incidents and mitigation knowledgebase

3 Reports Timely submission of daily, weekly and monthly reports Multiple types of reports, an indicative list is given below:- Daily reports including firewall change reconciliation, unauthorized database admin access, referrer log brand misuse reports, anti-virus policy non-compliance, unauthorized service provider access, privilege misuse/escalation

Daily Reports: By 12:00 PM Weekly Reports: By 10:00 AM : Monday Monthly Reports: By 5th of each month


Weekly reports including persistent top attackers, attacks, attack targets, trend analysis Monthly MIS reports, executive representation for top management, trend analysis Reports as defined by KCB from time to time.

2. Security Product Management

2.1 Service Specification The security device management service to be provided by the Bidder should meet the following specifications. Bidder should provide compliance status and remarks for any deviations. # Requirement Compliance

(F/P/N)

Remarks

1 Management of products in scope for policies, configurations, availability, fault and capacity management during business hours

2 Open a case with OEM /product support for all faults. Coordinate with OEM /product support for resolution. Communicate status to KCB on a regular basis

3 Reviews SLA’s with OEM /product support and recommend measures to improve the service levels.

4 Maintain IP addressing schemes, routing information, routing tables for security device operations

5 Provide recommendations for architecture enhancements/changes that can enhance the security posture


6 management of the security

products for policy changes including rule changes, signature updates arising from business requirements or in the event of attacks

7 Provide KCB with a root cause analysis of downtime due to faults, security events including preventive measures being taken to prevent future similar incidents and outages

8 Coordinate delivery with all stake holders including help desks, network team, IT team, application team and all appropriate third parties, as necessary, for the management of products in asset scope

9 Maintain security product configuration, based on industry best practices and as requested, for the products within the Asset Scope

10 Maintain complete documentation and architecture layout for all products with site deployment layout

11 Participate in technical and business planning sessions to establish security standards, architecture and project initiatives where the security products may impact or improvise the design

12 Provide infrastructure security planning & analysis, recommendations for installation and upgrade of products in scope

13 Tracking/Alerting the required license, software subscription for all hardware & software components of devices in scope

14 Bidder should analyze performance reports and formulate plan for capacity addition

15 Provide technical expertise/support for audits on the products in scope

16 Set up and manage admin and user


accounts. Perform access control on need basis

17 Take the backup of product configuration files any time there is a change in device configuration

18 Review the backup configuration and business continuity procedures to be followed in the event of device failure

19 Submit the Periodic Reports on the backup status

20 Restore configuration in the event of product crash, corruption or other failure

21 Design and program manage new device implementations

22 Bidder should provide backend support to the onsite team from its own SOC. Such support at the minimum include Esc a la tio n s fro m o n site te a m fo r specialist support on security product categories to resolve faults, configuration related issues Sh a re b est practices on product configuration standards & policies with onsite team


24 The following activities has to be carried out specifically for the DLP system in scope: 7. Identify the sensitive data that needs to be protected by DLP in discussion with KCB. 8. Discover sensitive data by periodically scanning servers and endpoints of KCB. 9. Design, configure and fine tune DLP policies to protect sensitive data in accordance with KCB requirements. 10. Design and configure DLP reports and dashboard. 11. Generate daily, weekly, monthly DLP reports as required. 12. Monitor and analyze DLP alerts


and perform incident management.

25 The following activities has to be carried out specifically for the PIM solution in scope: 7. Conduct role engineering to design the access policies for servers and network devices 8. Configure and fine tune access policies for servers and network devices 9. Configure end user accounts and associated access policies and manage their privileges 10. Design and configure PIM reports and dashboard 11. Generate daily, weekly, monthly PIM reports as required 12. Monitor and analyze PIM alerts and perform incident management Analyze PIM recordings for incident analysis

26 The following activities has to be carried out specifically for the FIM solution in scope: 7. Identify the files to be monitored across servers/network devices based on best practices, regulatory/standards requirements and KCB requirements. 8. Identify configuration audit requirements 9. Design, configure and fine tune the FIM and Configuration audit policies for the identified files and configuration items to be monitored. 10. Design and configure FIM reports and dashboard. 11. Generate daily, weekly, monthly FIM reports as required. 12. Monitor and analyze FIM alerts and perform incident management.

27 Create or migrate users from LDAP/ User repository to the Two factor authentication server

28 Carry out token life-cycle management procedures such as 4. User Token provisioning procedure


5. Modification of two-factor authentication privileges for end user owing to change in job role 6. Token revocation on exit or termination Carry out Help desk procedures such as 5. Reporting lost tokens 6. Returning faulty, damaged or expired tokens 7. Enabling emergency access for permanently lost, damaged or expired tokens 8. Inventory management

2.2 Deliverables Bidder should meet the service specifications mentioned above. Along with meeting service specifications Bidder should provide the following Deliverables as per SLA mentioned below # Area Expected Output SLA

Compliance (F/P/N)

Remarks

1 Architecture

planning, review & redesign (as required from time to time)

6. Plan & review placement of servers in the network segments 7. Plan & review Device segmentation 8. Plan & review authentication schemes 9. Plan & review integration with other security components 10. Oversight for new device implementation

Completion of activities within mutually agreed upon timelines

2 Policy & user Management

8. Risk Analysis and policy design 9. Configuration of polices 10. Document policy change 11. Policy

Emergency Changes: 30 min: Acknowledgement of change request 60 min:


optimization for all the Devices 12. Audit policy for exceptions 13. Set up and manage admin and user accounts as per policies of KCB 14. Interact with network team for managing escalations with NOC

Implementation of change requests Routine Changes: 4 hours: Acknowledgement of change requests 8 hours: Implementation of change requests

3 Availability and Configuration Management

9. Backup & restoration of configuration 10. Periodic review the backup configuration and business continuity procedures to be followed in the event of Device failure 11. Monitor the availability of devices 12. Root cause analysis for failure/ downtime of security devices 13. Maintain IP addressing schemes, routing information, routing tables, for the Device operations 14. Detailed analysis of miss-configurations, OS/application

• Periodic Backup as per KCB's policy

• Backup before

and after implementation of any change

• Quarterly

report on maintenance contract & software subscription


failures 15. Comply with KCB policies & regulations applicable to KCB 16. Tracking the SLA with product Bidder or reseller, maintenance contract, required license, software subscription for all hardware & software components of Devices.

4 Fault Management

6. Open a case with device supplier in the event of hardware component or system failure or bugs 7. Co-ordinate with device supplier/OEM for solution 8. Review the device supplier/OEM SLA for recommending measures to improve the service levels 9. Track AMC renewal dates 10. Root cause analysis for any failures / downtimes

- Open a ticket within 30 minutes of problem identification - Status update every 4 hours to KCB personnel - Quarterly review of Bidder SLA

5 Device migration/update

5. Prepare and review capacity plans for security

Quarterly analysis report as per KCB's specified


devices and recommend upgrades as required. 6. Provide security infrastructure analysis, recommendations for installation and upgrade 7. Prepare specifications, architecture and detailed plan for migration/upgrade 8. Test migration/upgrade plan in staging environment

format - Version upgrades within 3 months from release of new version


3. Vulnerability Management Services 3.1 Service Specification The Vulnerability management service to be provided by the Bidder should meet the following specifications. Bidder should provide compliance status and remarks for any deviations. # Requirements Compliance

(F/P/N) Remarks

1 Bidder should conduct scanning & configuration assessments as per frequency defined in the asset scope table

2 Configuration assessments should check for compliance against the secure baseline and SANS, NIST, CIS, KCB baselines, CERT-IN, guidelines as updated from time to time.

3 Configuration assessment of OS should check for the items given below. This is a minimum indicative list and Bidders are encouraged to check for more settings in line with best practices (SANS, NIST, CIS, KCB baselines, CERT-IN, ): - Shares with insecure permission - Permissions to critical system files and folders - Audit log settings - Space allocated for Event Viewer logs - SNMP community strings - Password and account lockout policies - Non-essential services check - TCP/IP stack settings - User rights assignment - Latest Service Pack installation - Latest security patches installation - Antivirus software

4 Configuration assessment of database should check for the items given below. This is a minimum indicative list, Bidders are encouraged to check for more settings in line with best practices(SANS, NIST, CIS, KCB policies, CERT-IN, )


- Default passwords - DBLINK Encrypt Login Option - Allocation of Unlimited Table space - Temporary and Default Table space Management - Unrestricted access to services - Web based access to database using iSQL * Plus - Run time modification of the listener service - Look for latest version - Test for secure authentication mechanism - Latest version not installed


5 Configuration assessment of network & security devices should check for the items given below. This is a minimum indicative list, Bidders are encouraged to check for more settings in line with best practices(SANS, NIST, CIS, KCB Baselines, ) - Access Control - System Authentication – remote administration security, password security - Auditing and Logging - Insecure Dynamic Routing Configuration - Insecure Service Configuration – Unnecessary services running, SNMP service security - Insecure TCP/IP Parameters – source routing, IP directed broadcasts, UDP broadcast forwarding - Latest version not used

6 Scanning should check for the items given below. This is a minimum indicative list, Bidders are encouraged to check for more settings in line with best practices including PCI, OSSTM, KCB Baselines, CERT-IN, - Tests for default passwords - Tests for DoS vulnerabilities - Test for buffer overflows - Test for directory Traversal - Test for insecure services such as SNMP - Check for vulnerabilities based on version of device/server - Test for SQL, XSS and other web application related vulnerabilities - Check for weak encryption - Check for SMTP related vulnerabilities such as open mail relay - Check for strong authentication scheme - Test for sample and default applications/pages - Check for DNS related vulnerabilities such as DNS cache poisoning and snooping


- Test for information disclosure such as internal IP disclosure - Look for potential backdoors - Check for older vulnerable version - Remote code execution - Weak SSL Certificate and Ciphe

7 The Bidder team should work with KCB personnel or its other outsourced partners for remediation of vulnerabilities. Bidder team should provide support for testing recommendations in UAT, prepare plan for implementation in production and provide support for production rollout

8 Bidder should conduct a confirmatory audit to confirm the remediation action that has been taken by relevant operations teams at KCB

9 All deliverables including reports should undergo Quality Assurance process. Project Manager should define quality metrics, measurement frequency and reporting periodicity in consultation with KCB

10 Bidder should provide backend support to the onsite team from its own SOC. Such support at the minimum include 3 Escalations from onsite team for specialist support on detected vulnerabilities & solutions for mitigation. 4 Share best practices on configuration standards, new vulnerability checks with onsite team.


3.2 Deliverables


Bidder should meet the service specifications mentioned above. Along with meeting service specifications Bidder should provide the following Deliverables as per SLA mentioned below # Area

Expected Output

SLA

Compliance (F/P/N)

Remarks

1 Secure Configuration assessment

Carry out secure configuration assessments as per the asset list, frequency provided and test criteria. Submit assessment reports, containing the following 8. Executive summary 9. Benchmark with SANS, NIST, CIS, KCB Policies, CERT-IN, 10. Categorization of vulnerabilities based on risk level 11. Details of security vulnerabilities 12. Emergency quick-fix solution for discovered vulnerabilities 13. Long-term solution for discovered vulnerabilities 14. Post correction assessment findings

Meet assessment periodicity given in asset scope section Meet quality criteria defined by KCB on configuration checks and report formats

2 Vulnerability Scanning

10. Carry out vulnerability scanning and asset discovery

Meet scanning periodicity given in asset scope section


scanning as per the asset list, frequency provided and test criteria. 11. Submit report containing the following 12. Executive summary 13. Benchmark with PCI, OSSTM 14. Categorization of vulnerabilities based on risk level 15. Details of security vulnerabilities 16. Emergency quick-fix solution for discovered vulnerabilities 17. Long-term solution for discovered vulnerabilities 18. Post correction assessment findings

Meet quality criteria defined by KCB on scanning checks and report formats

3 Mitigation support

Bidder should track mitigation for the reporting findings of scanning and assessment activities.

Updated information on mitigation status. Timely query resolution on mitigation recommendations

4. Malware Monitoring Services 4.1 Service Specification The web malware scanning service to be provided by the Bidder should meet the following specifications. Bidder should provide compliance status and remarks for any deviations. # Description Compliance (F/P/N)

Remarks


1 24X7 monitoring for Malicious Mobile Code(MMC) and malware infection of websites as given in asset scope

2 Real time detection of MMC/malware infection/injection

3 Solution should be a tool based automated solution including the following features: - Spider sites in scope on a continuous basis. - Detect & alert for malware infection. - Baseline website and detect malicious changes to website. - Detect malicious links including ones pointing to other sites with malware or ones that are pointing to malware uploaded in the same site. - Detect malicious java scripts, flash content. - Analyze HTML tags for malicious entries. - Check URLs against global blacklist databases. - Scan spider pages with industry leading anti-virus/anti-spyware. - Support reporting in different formats including PDF reports.

4 Solution should be implemented onsite at KCB and integrate with all websites under the scope.

5 Solution should support scanning to a depth of at least two pages and expanded to higher depth based on risk level of the site.

6 Solution should support


scanning of static and dynamic links.

7 Bidder should report and engage the team to takedown MMC/malware injection server once it is identified as the source after proper approval.

8 Bidder should manage incidents for MMC/malware infection/injection including solution, coordination for recovery in the shortest possible time.

9 Solution should be independent of application platform of the website.

10 Bidder should provide online security dashboard to capture security status of monitored websites and also to track mitigation status of infected sites

11 Bidder should provide backend support to the onsite team from its own SOC. Such support at the minimum include Alert & support onsite team in scenarios where there is a sudden increase in phishing or malware attacks across other Organizations as seen by Bidder SOC Any software development work for automation of workflows, integration with service desk or development of dashboard/ reporting templates or testing tool development



4.2 Deliverables Bidder should meet the service specifications mentioned above. Along with meeting service specifications Bidder should provide the following Deliverables as per SLA mentioned below # Area

Expected Output

SLA

Compliance (F/P/N)

Remarks

1 Malware scanning services

Alert Organization on web based malware on KCB sites being monitored Alert Organization of existence of Blacklisted links on KCB sites being monitored Alert Organization of potentially malicious website changes on KCB sites being monitored Incident Management for malware incidents including providing emergency response, identify root cause and provide solution, coordinate with Organization.s Bidders as needed

Inform KCB team via Email/SMS within 30 min of detection of malware, unauthorized change or Blacklisted Link First level incident management response within 60 minutes of alerting KCB team

2 Security Dashboard

Online dashboard to capture security status of monitored websites and also to track mitigation status of infected

sites

Deliver and maintain the dashboard as required by the Organization Upgrade and provide new features to support evolving needs at the Organization within agreed upon time. Update with new data as


required 5. SIEM & Security Tools implementation GAP analysis Services (Onetime) # Description Compliance

(F/P/N) Remarks

1. The Bidder should perform gap analysis of the SIEM implementation to ensure it meets best practices and KCB requirements.

2. The audit should check if the use cases meet best practices and KCB requirements.

3. The audit should check if the SIEM is implementation has met all system requirements specified by the OEM.

4. The audit should check if SIEM configuration is as per best practices and KCB requirements.

5. Ensure that log collection server installation and configuration is proper.

6. Identify the level of logs to be enabled across the different components of IT infrastructure.

7. Support the IT team with the required information to bridge the gap.

8. Define the required rules, alerts, reports and dashboards as relevant to meet the highest levels of security for KCB.

9. Suggest Event correlation design which includes the attributes like events, asset, vulnerability, business value in the threat calculation.

10. Recommend method of making Evidence for any security incident available for legal and regulatory purposes.


6. Reporting KCB requires Bidders to provide relevant consolidated as well as individual reports of all activities performed by the Bidder to the top management of KCB. The security reporting service to be provided by the Bidder should meet the following specifications. Bidder should provide compliance status and remarks for any deviations. # Description Compliance

(F/P/N) Remarks

1 Bidder should provide detailed MIS reports to KCB on a monthly basis

2 Bidder should provide quarterly update through a senior resource on activities, security posture of KCB to key stakeholders

6.1 Deliverables Bidder should meet the service specifications mentioned above. Along with meeting service specifications Bidder should provide the following Deliverables as per SLA mentioned below. # Area Expected

Output SLA

Compliance (F/P/N)

Remarks

1 Consolidated MIS report across all

services rendered

NCPI Security Status

Activity snapshot

2 - Operational Enhancements

Issues & Action Items

Presenting regular status reports

7. Other Requirements # Description Compliance

(F/P/N) Remarks

1 Selected Bidder should conduct security training (not certification training) for KCB's nominated persons once in six months for maximum of 10 participants per session. This training program would


cover mutually agreed training agenda on the e-security products & technologies.

2 Bidder should provide quarterly management briefing to KCB's senior management team on the project benefits, security risks and global threats facing financial institutions.

3 Bidder should provide relevant support for external and internal security audits that KCB is subject to from time to time

4 Bidder should support POCs or evaluation of new technologies or tools relevant to services within this RFP from time to time

5 Bidder should prepare the SOC operations for compliance and certification to the standards of ISO 27001, ISO 20000, BS 25999 and PCI DSS

6 Project plan for delivering these services and resource ramp up required for project execution will be mutually decided by Bidder & KCB. KCB will approve all such plans and project execution should be carried out only based on approval from KCB

7 All architecture design, report formats and implementation methodology mentioned in this RFP should be in consultation with KCB and should be approved before finalization.

8 All personnel to be deployed under the contract for the full period of service will need to be approved by KCB. KCB reserves the right to reject any person and ask for suitable replacement.

9 Bidder should provide background clearance certificate from reputed agencies for all personnel deployed at KCB. KCB may also carry out background checks on personnel


deployed at KCB by itself or any appointed agency, if required. Bidder should provide support as required for such background checks.

10 No part of the service should be outsourced by the Bidder to any third party or contractors for execution. All personnel provided by the Bidder will have to be full time employees of the Bidder.

11 Bidder will submit detailed SLA compliance report on a quarterly basis. SLA report will be discussed with nominated personnel from KCB and any breach of SLA will lead to service penalties.

12 For any slippage in SLA in a quarter by the Bidder, it should create a rectification plan and get it approved by KCB. If the same SLA is not met in subsequent quarter, KCB will impose a service penalty, equivalent to 15 days of additional service (pertaining to the said SLA) to be provided by the Bidder at no cost to KCB. If the particular SLA violation is not rectified in 3rd quarter, KCB will impose financial penalty equivalent to 10% of the service cost. Detailed clauses on SLA and penalty will be entered into during the contracting phase with selected Bidder.

13 Apart from SLA reviews, KCB may also conduct performance reviews at mutually agreed schedules, dates and locations and representatives from both KCB and Service Provider should attend such performance review meetings

14 For any major or repeated failure of SLA or any deficiency in the service performance that causes or is likely to cause significant impact to KCB's operation or reputation, KCB reserves the right to impose, including cancellation of whole or part of contract, irrespective of any SLA penalty mentioned above.


15 KCB should be able to verify performance of each of the above services. Bidder should maintain evidence, logs or proof of such performance throughout the contract period

16 KCB reserves the right to audit the Bidder either by itself or through any appointed entity. Bidder must provide full cooperation for audit of services in the scope of this RFP.

17 The prices quoted by the Bidder should be all inclusive of people cost, cost of processes, methodologies and tools used by the Bidder and the cost of backend services provided from its own SOC. Any out of station (outside city) travel expenses for the onsite team of the Bidder for executing KCB's work will be borne by KCB.

18 Selected Bidder has to provide Performance Bank Guarantee equivalent to the cost of services for one year, valid for 5 years from a Public Sector Organization before claiming the first payment

19 Cancellation of Order: KCB reserves its right to cancel the Purchase Order at any time, in the event of breach of contract or serious deficiency in the service or for any other reason. In addition to the cancellation of Purchase order, KCB reserves the right to invoke the Bank Guarantee given by the Service Provider to recover the damages

20 Service Transition: Bidder should provide smooth transition of services to another Bidder or internal to KCB as and when the current contract is terminated. This will include transfer of skills and operating processes and procedures. Bidder should maintain documented processes and procedures for all service delivery to ensure smooth internal or external transition.


21 Indemnity: The Service Provider shall indemnify, protect and save KCB against all claims, losses, costs, damages, expenses, action suits and other proceedings, resulting from infringement of any law pertaining to software licenses, patent, trademarks, copyrights etc. or such other statutory infringements or any actions of the employees or agents or deficiency of service of the Service Provider

22 IPR: For any licensed software used by the Bidder for performing service or developing software for KCB, it should have the right to use as well as the right to license for outsourced services or third party software development. Any license or IPR violation on the part of the outsourced Bidder should not put KCB at risk. KCB should reserve the right to audit the license usage of the Bidder or ask for a Bidder undertaking on non-violation of IPR

23 All documentation, service processes, data and methodologies developed by the resources deployed at KCB and for the services delivered to KCB will become the property of KCB. KCB will retain intellectual rights over such property.

24 Restrictions: The Bidder must provide professional, objective and impartial advice and at all times hold KCB's interest paramount, without any consideration for future work, and strictly avoid conflicts with other assignments or their own corporate interests. Bidders shall not be hired for any assignment that would be in conflict with their prior or current obligations, or that may place them in a position of not being able to carry out the assignment in the best interest of KCB.


ANNEX 3 – KCB IT RISK & SECURITY – TECHNICAL SECURITY CHECKLIST

KCB IT Risk & Security - Technical Security Checklist

Security Criteria Vendor Comments

Documents

1 The vendor has agreed/ signed KCB non-disclosure agreement with the bank. No engagements with vendor are allowed without a formal non-disclosure agreement in place

2 Indicate who will provide support - internal team or vendor support with SLA in place/proposed specifying response time and penalties

3 Is system & security documentation available? Comprehensive security documentation must be provided

4 System design architecture – are detailed diagrams available?

Availability

1 What is the expected uptime of the solution? Indicate the high availability requirements.

2 Is disaster recovery and business continuity plans built in? Critical systems require business continuity plans. What are the Disaster Set up requirements?

3 What kind of back up arrangements are proposed? All sensitive data must be properly backed up

4 Are network diagrams provided? Network schematics should clearly indicate which elements are in control of vendor and those under KCB control

5 Is there redundant design?– redundancy needed for mission critical systems

6 Are there performance monitoring and tuning tools that are part of the solution? If yes provide details of functionality


7 Are there troubleshooting (debugging) tools that are part of the solution? If yes provide list and functionality

Integrity & Confidentiality

1 Does system support strong authentication (two factors) or rich security for mission critical systems? – indicate what is available

2 Are passwords and PINs encrypted from generation, transmission to storage? Indicate the entire path and how authentication data is secured

3 What are the PIN/password security features? A PIN must be at least 4 characters for customers and encrypted in transit or storage. Password shall have rich features – expiration, complexity, initial auto generate etc

4 Is discretionary access control enforced by the system at all levels – application, OS, database (include versions supported).

5 Is separation of duties enforced by the system?– one person should not complete critical transactions

6 Indicate the user roles and groups that are defined by default in the system. Can these be refined? – Please give details.

7 Does the application require the use of an administrator password to be shared among users or hard coded? Only named users should be allowed.

8 How are new passwords generated and secured? New accounts must have a password and password should not be predictable.

9 What ports and protocols are used and what are the security features?

10 Are security reports available? – changes to roles/profiles, database access

11 What Cryptography (Encryption) mechanisms are implemented? What encryption algorithm is


employed?

12 Does system support Intrusion detection functionality?

13 Confirm object reuse is not allowed – sessions, memory, cache elements etc

14 Does the system have secure communication architecture? Sensitive data should be secured in transmission, interfaces and storage.

Operations

1 What is the OS, database and applications to be used? Name and version

2 Does back-end software operate as a service?

3 How many versions of this product are you supporting and what is the latest version? How long has the latest version been in the market?

4 Patching and updates procedures – what is the frequency of releases? When is the next release? Is down time required?

5 System audit should be available. Have audit data logs processing and storage been factored in hardware sizing? Should have system logs for both Operating System and Application. What is the format of the logs? Logs must be able to support SIEM.

6 Anti-virus requirements – support for major antivirus vendors and compatible with the ones KCB is currently using

7 Identify the maximum number of named users, logged-on users, and concurrent users that the system will accommodate. Capacity should be sufficient to meet business projection. User roles must be defined in the system.

8 Does the system produce secure output? E.g. confidential or sensitive printed information? If yes, is there a procedure for handling the output?


9 Is security and technical training included? System users must be provided with sufficient security training.

10 What are the environment requirements? - control air-borne contaminants (Space requirements, humidity & temperature control, electrical power supply requirements)

Database

1 What databases do you support? Commercial databases should be used

2 Does your application support a clustered database environment? Clustering is important for mission critical.

3 Will the database be accessible for use by other applications directly? If yes, what are the security controls in place?

4 Does your application depend on specified schema-owner or user names/passwords to the database? Does the schema owner need DBA access for the application to function? Requirement – Application should handle all user access

5 What system database functions require DBA access to be performed? Database should enforce rich password security features

6 Does the application require a specific OS for the database server?

7 Describe any communication protocol your system uses to connect to the database. Do the connections stay connected at all times, or are they transaction based? Should be transaction based

Additional security control details

Vendor representative (Name, Sign/date))


ANNEX 4 – SUPPLIER QUESTIONNAIRE Bidders, willing to be considered for the tender for Provision of IT Security Operations Center (SOC) are expected to furnish the Company with among others the following vital information, which will be treated in strict confidence by the Company. 1.0 CORPORATE INFORMATION No. PARTICULARS RESPONSE [If space is

insufficient, please use a separate sheet]

1.1

Full name of organization:

1.2 Is your organization

(Please tick one)

i) a public limited incorporated company? attach a copy of Certificate of incorporation including any Certificate of Change of Name, Memorandum & Articles of Association

ii) a public listed company? If yes, please attach a copy of Certificate of incorporation including any Certificate of Change of Name, Memorandum & Articles of Association

iii) a limited incorporated company? If yes, please attach a copy of Certificate of incorporation including any Certificate of Change of Name, Memorandum & Articles of Association

iv) a partnership? If yes, please attach certified copy of the Partnership Deed and business name certificate

v) a sole trader? If yes, please attach a certified copy of the business name certificate

vi) other (please specify)

1.3 Company Registration number (if this applies)-attach a copy of Certificate of incorporation including any Certificate of Change of Name or relevant certificate from country of incorporation.

1.4 Date and country of Registration:

1.5 Full physical address of principal place of business:

Full postal address of the business:


1.6 Registered address if different from the above:

Post Code:

1.7

Telephone number:

1.8 Fax number:

1.9 E-mail address:

1.10 Website address (if any):

1.11 Company/Partnership/Sole Trader Tax PIN:

(Please provide a certified copy of the PIN Certificate)

1.12 VAT Registration number:

(Please provide a certified copy of the VAT Certificate)

1.13 Period in which you have been in the specific business for which you wish to bid.

1.14 Current Principal letter/certifications preferably

issued in 2014.

1.15 Names of the Shareholders, Directors and Partners.

If a Kenyan company please provide an original search report issued by the Registrar of Companies showing the directors and shareholders (Companies Form CR 12).

1.16 Associated companies(if any)

1.17 Please provide a copy of the latest annual returns together with the filing receipt as filed at the Companies Registry

1.17 Name of (ultimate) parent/holding company (if this applies):

1.18 Company number of parent/holding company (if this applies):

1.19 If a consortium is expressing interest, please give the full name of the other organization

(the proposed consortium partners should also complete this questionnaire in its entirety)


1.20 Name and contacts of the Legal Representative of the company; Name, Title; Telephone, Fax and Email address.

1.21 Contact person within the organisation to whom enquiries about this bid should be directed:

NAME:

TITLE

TEL:

FAX:

EMAIL:

2.0 FINANCIAL INFORMATION

No. PARTICULARS

2.1

What was your turnover in the last two years?

…………

for year ended

--/--/----

………

for year ended

--/--/----

2.2

Has your organisation met all its obligations to pay its creditors and staff during the past year?

Yes / No

If no, please give details:

2.3 Have you had any contracts terminated for poor performance in the last three years, or any contracts where damages have been claimed by the contracting authority?

Yes / No

If yes, please give details:

2.4

What is the name and branch of your bankers (who could provide a reference)?

Name:

Branch:

Telephone Number:

Postal Address:

Contact Person Name:

Contact Position

Contact E-mail:

2.5

Provide a copy of the following

• A copy of your most recent audited accounts (for the last two years)


• A statement of your turnover, profit & loss account and cash flow for the most recent year of trading (for the last two years)

• A statement of your cash flow forecast for the current year and a bank letter outlining the current cash and credit position.

3.0 BUSINESS ACTIVITIES

No. PARTICULARS

3.1

What are the main business activities of your organization? i.e. Manufacturer, Assembler, Distributor, service centre, retailer, (please specify).

3.2

How many staff does your organization have? ............

Indicate the number under each category

i. Technical (Permanent………, Temporary……)

ii. Semiskilled (Permanent……., Temporary……..)

3.3 Please generally describe the experience and expertise your organization possesse that will enable you to effectively and efficiently undertake the work you are bidding for, as required by KCB.

• Attach you company organogram (organization chart) with emphasis on the job you are bidding for.

• Attach CV’s of key staff

3.4 Please submit a declaration that all staff within your organization that are or will Be involved in the project are or will be permitted to work within your organization under the laws of Kenya or the laws of the country in which it i established.

4.0 TRADE REFERENCES 4.1 Please provide in the table below details of the projects you have undertaken

relevant to the job you are bidding for performed over the last three (3) years, or that are relevant to this bid document. (Attach Local Purchase Orders (LPOs), Local Service Orders, Agreements/Contracts)

No

Customer Organization (name)

Customer contact name and phone number

Contract reference and brief description:

Date contract awarded

Value of businesses transacted: (Kshs/USD/Euro)


1

2

3

4

5

6

7

8

5.0 CERTIFICATIONS, ACCREDITATIONS AND APPROVALS

Detail any relevant certifications and accreditations by principals or accreditation bodies and attach copies of such certification. Such certifications may be for your company or for your individual staff as relevant to the work they do and the key skills for the service or goods you propose to supply.

6.0 AGENCIES AND PARTNERSHIPS a) Detail any agencies and partnerships that you have that are relevant to

the categories of goods and/or services you are interested in supplying. b) List your primary sources of supply for goods that you propose to supply.

7.0 MANAGEMENT POLICIES

a) Employee Integrity

• How does the firm ensure the integrity of staff? Detail any related policies.

b) Code of Conduct/Ethics

• Does your company have a code of conduct? If so, please attach a copy.

• Indicate if your company subscribes to a professional body with a

code of conduct/ethics.

c) Company employment policy

• Does the firm have a documented employment policy? What are key highlights from this policy if in existence?

d) Environmental Policy/Green Agenda Policy

• Is your firm ISO 140001 certified or do you have an environmental policy as an organization?

• Are your waste segregated as per different waste streams? • How are wastes from your firm disposed?

e) Customer Service

Does the firm have a documented policy on Customer Service?


Which position in your firm is responsible for customer service and how is this position supported by other functions?

Does your firm use any performance management techniques, including customer satisfaction measurement? If so, what are the key parameters?

8.0 BUSINESS PROBITY AND LITIGATION MANAGEMENT Please confirm whether any of the following criteria applies to your organization: Note that failure to disclose information relevant to this section may result in your exclusion as a potential KCB supplier.

No. PARTICULARS RESPONSE

8.1

Is the organisation bankrupt or being wound up, having its affairs administered by the court, or have you entered into an arrangement with creditors, suspended business activities or any analogous situation arising from similar proceedings in Kenya or the country in which it is established?

8.2 Please provide a statement of any material pending or threatened litigation or other legal proceedings where the claim is of a value in excess of USD 20,000.

8.3 Has any partner, director, shareholder or employee whom you would propose to use to deliver this service been convicted of an offence concerning his professional conduct?

8.4 Has any partner, director or shareholder been the subject of corruption or fraud investigations by the police, Kenya Anti-Corruption Authority or similar authority in the country in which your organization is established?

8.6 Has the organization not fulfilled obligations relating to the payment of any statutory deductions or contributions including income tax as required under Kenyan law or the laws of the country in which it is established?

8.7 Please state if any Director shareholder/ Partner and / or


Company Secretary of the Organization is currently employed or has been employed in the past 3 years by KCB.

8.8 Please state if any Director / Partner and / or Company Secretary of the Organization has a close relative who is employed by KCB and who is in a position to influence the award of any supply award. A “close relative” refers to spouse, parents, siblings and children

9.0 INSURANCE Please provide details of your current insurance cover Value

9.1

Employer’s Liability:

9.2

Public Liability:

9.3

Professional Indemnity (if applicable)

9.4 Other (specify)

10.0 EVALUATION (a) Requirements For Evaluation

The following documents should be attached. i. Certificate of Incorporation/Business Name Certificate ii. Trading Certificate/Business Permit iii. Certificate from relevant regulatory authority (where applicable iv. Manufacturers Authorization /or equivalent (where applicable). v. TAX/ PIN Certificate or equivalent vi. Tax Compliance certificate or equivalent vii. Current principal letter/certification preferably issue in 2014 (where

applicable) viii. List of Directors, telephone and their postal address ix. Form CR 12 as issued by the Registrar of Companies (original) or certified as

true copy. x. Audited Accounts (Two years) xi. Bank Account Information xii. CVs of Senior Staff xiii. Organogram/Organization Chart


ANNEX 5 – PERFORMANCE SECURITY FORM (FORMAT)

Know all men by these presents that we:

1. .....................................................................................

(Full name & address in block letters) PRINCIPAL

2. .....................................................................................

(Full name & address in block letters) SURETY

are held firmly bound, jointly and in severally, unto Kenya Commercial Bank Limited in the principal sum of US Dollars ....................................................................................................

for which payment well and truly to be made we bind ourselves firmly by these presents.

The condition of the above obligations being that should the said <name of Bidder>

fulfill his /their obligation/s under an agreement entered into between the Kenya Commercial Bank Limited, and themselves in respect of <<the requirement>>

for Kenya Commercial Bank Ltd. during the period ending ..................................................

and not incur cancellation of the agreement for any cause whatsoever then the above obligation to be null and void; otherwise to remain in full force and effect. The validity of this guarantee expires on ............................................................................

which is two months beyond the contract period (i.e. after submission and acceptance by the Bank of final report).

.......................................................................................

PRINCIPAL (Signature).......................................................................................

Principal’s Stamp

SURETY (Signature)………………………………………..

SURETY’s Stamp…………………………………………….

Nairobi this ................. of .............. two thousand and ............................

( The following words should be inserted in the signatory’s own handwriting)

“Good for the sum* of US Dollars ........................................................”

(*sum to be specified in words & figures)


ANNEX 6 – CERTIFICATE OF COMPLIANCE

All Suppliers should sign the certificate of compliance below and return it together with this tender document.

We___________________________ have read this tender document and agree with the terms and conditions stipulated therein.

Signature of renderer -------------------------------------------

Date………………………………………………………….

Company Stamp/Seal.

*************************** END *****************************