DUTCH-BANGLA BANK LIMITED IT Security Division K.B

Cost of RFP: Tk. 5,000/- (Taka Five Thousand only)

DUTCH-BANGLA BANK LIMITED IT Security Division K.B. Square (5th floor), 736, Dhanmondi, Dhaka-1209.

Request For Proposal

Gap analysis, remediation plan and rectification of gaps for PCI DSS v3.2 certification and enhancement of security infrastructure by assessing vulnerabilities and implementing SIEM, Directory and Endpoint Support Service, WAF, DLP, Network Behavior Analysis and conducting VAPT service for Dutch-Bangla Bank Limited.

RFP: DBBL/100/ITSD/Tender/2017/01 Submission Date: July 20, 2017

The document briefly describes the functional and business requirements for the gap analysis, remediation plan and rectification of gaps for PCI DSS v3.2 certification, vulnerability assessment and implementation of SIEM, Directory and Endpoint Support Service, DLP, WAF, Network Behavior Analysis, and Conducting Vulnerability Assessment and Penetration Testing service for Dutch-Bangla Bank Limited. DBBL/100/ITSD/Tender/2017/01

Table of Contents 1. PREFACE ...... 3 2. INTRODUCTION ...... 5 2.1 Background ...... 5 2.2 Scope ...... 6 2.2.1 Gap Analysis, remediation plan and rectification of gaps for PCI DSS v3.2 ...... 6 2.2.2 Security Information and Event Management (SIEM) ...... 7 2.2.3 Directory and Endpoint Support Service ...... 8 2.2.4 Web application firewall (WAF) ...... 8 2.2.5 Data Loss/Leakage Prevention (DLP) ...... 9 2.2.6 Network Behavior Analysis (NBA) ...... 9 2.2.7 Conducting Vulnerability Assessment and Penetration Testing service of the Bank’s network ……………………………………………………………………………………………………………………………………9 2.3 Intent of RFP ...... 11 3. EXPERIENCE ...... 12 4. ROLL OUT PLAN and Gantt Chart ...... 14 5. REQUEST FOR PROPOSAL ...... 17 5.1 Submission of Proposals ...... 17 5.2 Modifications or Withdrawals of Proposals ...... 17 5.3 Preparation of Proposals ...... 17 5.4 Award and Contact Information ...... 18 6. GENERAL PROVISION ...... 19 6.1 Independent Bidder ...... 19 6.2 Insurance ...... 19 6.3 Laws to be Observed ...... 19 6.4 Assignment/Bidder ...... 19 6.5 Accountant Representative ...... 20 6.6 Ownership of Documents/ Work Product ...... 20 6.7 Confidentiality of Information ...... 20 7. GENERAL TERMS AND CONDITION ...... 21 8. SPECIAL PROVISIONS INFORMATION ...... 23 8.1 Bank Parties: ...... 23 8.2 Content and Procurement Points of Contact: ...... 24 8.3 Restriction on Communications with the Bank Employees: ...... 25 8.4 Proposal Response Sequential Order: ...... 25 8.5 Beginning Work: ...... 25 8.6 Cost of Preparing Proposals: ...... 26

RFP for Gap analysis, remediation plan and rectification of gaps for PCI DSS v3.2 certification and enhancement of security infrastructure by assessing vulnerabilities and implementing SIEM, Directory and Endpoint Support Service, WAF, DLP, Network Behavior Analysis and conducting VAPT service for Dutch-Bangla Bank Limited. Page 1 of 92 DBBL/100/ITSD/Tender/2017/01

8.7 Proposal Evaluation: ...... 26 8.8 Risks and Liability: ...... 26 8.9 Addendum to the RFP: ...... 26 8.10 Use of Sub-bidders: ...... 26 8.11 Misrepresentation of Information: ...... 26 8.12 Disposition of Proposals: ...... 26 8.13 Performance Requirements and Nonperformance Penalties: ...... 27 8.14 Bidder Relationship with the Bank: ...... 27 9. PROPOSAL SUBMISSION REQUIREMENTS-SEQUENTIAL ORDER ...... 28 9.1 Technical Proposal – Format and Contents ...... 28 9.2 Financial Proposal – Format and Content: ...... 30 10. EVALUATION METHODOLOGY ...... 31 10.1 Overview: ...... 31 10.2 Compliance With Mandatory Requirements: ...... 31 10.3 Technical Scoring and Ranking: ...... 31 10.4 Financial Scoring and Ranking: ...... 32 10.5 Final Rankings of Proposals: ...... 32 11. PAYMENT TERMS ...... 33 11.1 Time Schedule/ Invoicing ...... 33 12. PROPOSAL PRICE SHEET AND SIGNATURE PAGE ...... 34

LIST OF ANNEXURES ANNEXURE A: TECHNICAL SPECIFICATION……………………………………………………………………………………….37 ANNEXURE B: PROJECT MANAGEMENT ..……………………………………………………………………………………....87 ANNEXURE C: USER TRAINING ……………………………………………………………………………………………………....88 ANNEXURE D: DOCUMENTATION …………………………………………………………………………………………………..89 ANNEXURE E: QUALIFICATION APPLICATION ………………………………………………………………………………….90 ANNEXURE F: SUBMISSION FORM ………………………………………………………………………………………………….91 ANNEXURE G: BANK GUARANTEE ..….………………………………………………………………………………………..…..92

1. PREFACE  Dutch-Bangla Bank Limited hereinafter called “DBBL” or “the Bank” issues this Request for Proposal (RFP) to assess the gap for PCI DSS v3.2 certification, remediation plan and rectification of those gaps. Besides this, assessing vulnerabilities of bank’s entire network as well as the procurement and implementation of SIEM, Directory and Endpoint Support Service, DLP, WAF, Network Behavior Analysis and Conducting Vulnerability Assessment and Penetration Testing service of the Bank’s network for securing the ICT infrastructure of the bank is also included in this request for proposal.  Through this RFP, DBBL invites bidders to propose a contractual arrangement for the gap assessment, remediation plan and rectification of those gaps for PCI DSS v3.2 certification, assessing vulnerabilities and supply, installation, implementation of SIEM, Directory Service, DLP, WAF, Network Behavior Analysis Tool and Conducting Vulnerability Assessment and Penetration Testing service of the Bank’s network to ensure a secure ICT infrastructure.  This RFP consists of seven groups of products and services. Groups are:  Group A: Gap analysis, remediation plan and rectification of gaps for PCI DSS version 3.2.  Group B: Procurement and Implementation of Security Information and Event Management (SIEM) solution.  Group C: Implementation of Directory and Endpoint Support Service and collection of all the information of the endpoints.  Group D: Procurement and Implementation of Data Loss/Leakage Prevention (DLP) solution.  Group E: Procurement and Implementation of Web Application Firewall (WAF) solution.  Group F: Procurement and Implementation of Network Behavior Analysis (NBA) solution.  Group G: Conducting Vulnerability Assessment and Penetration Testing service of the Bank’s network.  This RFP is not an offer by the Bank, but an invitation to receive bidder response. No contractual obligation whatsoever shall arise from the RFP process unless and until a formal contract is signed and executed by duly authorized officers of DBBL and the Bidder.  The RFP document can be collected from the address printed in the top sheet of this RFP document. However, bidders must make the payment towards cost of RFP, as the amount mentioned in the cover page before collecting the RFP in the form of Bank Draft in favor of Dutch-Bangla Bank Limited.  Technical proposals may be opened in the presence of the bidder’s representatives on the specified date and time. Technically qualified proposals will be taken up for further processing for commercial terms. No further discussion/interface will be granted to bidders whose technical proposals have been disqualified.

 The decision of the Bank would be final and binding on all the bidders to this document. DBBL reserves the right to accept or reject in part or full any or all the offers without assigning any reasons whatsoever.  Cost of RFP is Tk. 5,000/- (Taka Five thousand only). Bidders must make the payment (Pay Order in favor of "Dutch-Bangla Bank Limited”) on the time of collecting the RFP. RFP response without this payment will be rejected outright.

2. INTRODUCTION

2.1 Background

1. Dutch-Bangla Bank Limited is the Bangladesh's most innovative and technologically advanced bank. DBBL is the first bank in Bangladesh to be fully automated. DBBL stands to give the most innovative and affordable banking products to Bangladesh. Amongst banks, DBBL is the largest donor in to social causes in Bangladesh. It stands as one of the largest private donor involved in improving the country. DBBL is proud to be associated with helping Bangladesh as well as being a leader in the country's banking sector.

2. DBBL has 165 branches, 700+ FTs, 4400+ ATMs and more than 10000 POS machines all over the country. The Bank has 39 different divisions at different locations which belong to Head offices. Moreover the Bank established Mobile Banking very recently, in which the bank has 77 field offices. In total the employee count of the Bank is more than 4000 at present.

3. The Bank has currently three data centers in Bangladesh located at Dhanmondi (DC-1), Dumni (DC-2) and Uttara (DRS). DBBL operates core banking system across its head offices, branches, fast tracks, mobile banking office etc.

4. DBBL is one of the largest issuer and acquirer of both debit and credit cards. The Bank operates on multiple payment channels like ATM, POS, e-commerce, mobile banking and agent banking etc. Customers can request card related services through the call center at 16216. 5. The Bank has a goal to achieve the PCI DSS certification as soon as possible. In accordance with that, the Bank will find out the gaps against PCI DSS v3.2 requirements in the first step. Also the Bank will work to rectify those gaps for achieving the certificates. The Bank is seeking a prime bidder to provide a cost- effective solution for gap assessment and remediation of those gaps. Along with this, the Bank is also looking forward to find out a potential bidder who will assess the vulnerabilities of the Bank’s network and also perform the penetration testing for finding out the security breaches that may cause harm in the future. 6. The procurement and implementation of SIEM, Directory and Endpoint Support Service, DLP, WAF, Network Behavior Analysis and Conducting Vulnerability Assessment and Penetration Testing service of the Bank’s network will be carried out to remediate gaps within ICT infrastructure of the Bank in accordance with industry standards like PCI-DSS, ISO 27001 etc.

2.2 Scope This section briefly outlines the environment which should be considered by the bidders while designing their offerings. Since it is an outline, the detail scope may vary for any particular group.

2.2.1 Gap Analysis, remediation plan and rectification of gaps for PCI DSS v3.2 Dutch-Bangla Bank Limited intends to achieve PCI DSS Certification for securing the card holder data (CHD) environment. In respect with that, the Bank needs to perform a gap analysis exercise on CHD environment as per PCI DSS v3.2 requirements before considering a certification audit.

Dutch-Bangla Bank has 165 branches, 4400 ATMs (approx.), 700 Fast Tracks (approx.), and 10000 Point of Sale (POS) Terminals (approx.). Payment card details are transmitted during transaction occurred at ATMs, FTs, POS terminals and e-commerce gateways. Customers’ details are also exchanged during various e-mail conversations and call center queries.

The Bank has four head office locations, two data centers and one disaster recovery site. The Bank also has a call center to serve its’ more than 18 million customer base. The Bank has more than 4000 full time employee who are working across the country. The bidder should consider visiting at least five of the Bank’s branches as part of the gap analysis process.

The Bank personalizes its own payment cards (Nexus Debit, MasterCard/Visa Debit and Credit etc.). Approximately 1,500,000 debit cards and 15,000 credit cards processed/issued in a year. Approximately 850,000 credit card transactions and 74,000,000 debit card transactions performed in a year.

Cardholder data is stored electronically. There is network segmentation in place with approximately 30 physical servers and 10 virtual servers involved in card holder data processing, transmission and storage. 20 external IPs and approximately 250 internal IPs are used within the two datacenters and one disaster recovery site. There are approximately 10 connections to other banks and 6000 merchants.

Approximately 4900 routers, switches and firewalls are being used across the Bank’s data centers, branches, fast tracks, mobile bank field offices and ATM locations. Either wireless or cloud technology is not being used to store, process or transmit card holder data.

The following technology platforms are used:

 MS Windows Desktops (XP, 7 and 10).  MS Windows Servers (2003, 2008, 2008R2, 2012, 2012R2).  Linux Servers (Red Hat 5.5, 6.0, 6.5, 7.0 and Centos 6).  IBM Servers with AIX as OS.

 HP Superdome Servers with HP-UX as OS.  Sun/Oracle Server with Solaris as OS.

The Bank has three internet facing applications (each with its own database) that handle cardholder data:

1. Ibfcat1.dutchbanglabank.com 2. epay.dutchbanglabank.com 3. nexuspay.dutchbanglabank.com

Internet facing servers are segregated from the main network estate through next generation firewall (NGFW) and intrusion prevention system (IPS). These applications are used for Internet Banking and e-commerce which perform functions such as e-commerce transaction, account statement, fund transfer, bills pay etc.

Sites to be considered for gap analysis process: a. Data Center (DC-1) House # 47, Road # 9/A, Dhanmondi R/A Dhaka – 1209 b. Dumni Data Center (DC-2) Khilkhet Bazar, Dumni, Dhaka

c. Cards Operation Division 315/B (2nd Floor), Shahid Tajuddin Ahmed Sarani Tejgaon Industrial Area, Tejgaon, Dhaka-1208

d. E-Banking Business Division 315/B (2nd Floor), Shahid Tajuddin Ahmed Sarani Tejgaon Industrial Area, Tejgaon, Dhaka-1208

e. Call Center Rupayan Center, 99-Gulshan Avenue, Gulshan-2 Dhaka, Bangladesh f. Sample Fast Track (To be decided mutually after giving the work order) g. Sample POS Location (To be decided mutually after giving the work order)

2.2.2 Security Information and Event Management (SIEM) The Bank will use security information and event management (SIEM) solution to have real-time analysis of security alerts generated by network hardware, servers and applications. The SIEM solution should have to provide security event management (SEM) that deals with real-time monitoring, correlation of events, notifications and console views and security information management

(SIM) that deals with long-term storage as well as analysis, manipulation and reporting of log data and security records. The solution should be designed in such a manner that two identical sets should be placed in two different data centers i.e. DC-1 and DC-2 of the Bank and it should work as Active-Active. The SIEM solution should be implemented as outlined in the technical specification section of this RFP.

2.2.3 Directory and Endpoint Support Service Dutch-Bangla Bank Limited (DBBL) is already having an active directory service implemented using Windows Server 2008 R2 environment. Now DBBL is willing to upgrade this active directory system to Windows Server 2016 environment. In addition to this, DBBL also wants to do software metering, patch update and wants to collect software inventory, hardware inventory, audit logs and all other activity information from end points to implement security controls. The Bank has more than 4000 employees and 4500 end point devices all over the country. DBBL needs support assistance for migrating this active directory system. Along with the support assistance, bidder should conduct workshop to minimum 12 (twelve) key technical staffs of the Bank on workshops available under the “Microsoft Premier Support Service” covering System Center Configuration Manager: Concepts and Administration Introduction, WorkshopPLUS - System Center Operations Manager: Configuration, Administration and Installation, WorkshopPLUS - System Center Virtual Machine Manager: Implementation and Management, WorkshopPLUS - Windows Server: Active Directory Domain Services and also should be responsible to implement all of these solutions in DBBL environment. The solution provider is responsible for successful implementation of the solution in DC-1, DC-2 and the Bank’s branches, FTs, Mobile Banking outlets etc.

2.2.4 Web application firewall (WAF) Dutch-Bangla Bank Limited will implement web application firewall (WAF) to impose security controls for protecting web applications against exploits, impersonation and known vulnerabilities and attackers. The WAF solution should be able to prevent cross-site scripting (XSS) attacks, DoS and DDoS, SQL injection attacks, session hijacking and buffer overflows. One of the most common drivers for deployment of the WAF solution is the need to meet regulatory compliance. The Bank will expect a solution that comes with prebuilt templates covering various regulations. The web application firewall solution should support industry recognized features like load balancing, high availability support, application security vulnerabilities, custom security enforcing, attack prevention, detection and protection, policy management for different web applications, in built report generation tools etc. to suffice DBBL’s needs. The solution provider is responsible for successful implementation of WAF solution in DC-1 and DC-2. The solution should sit in the DMZ Zone/ Internet site as well as in the Intranet site of the DBBL data center. Also the WAF solution should be implemented as outlined in the technical specification section of this RFP.

2.2.5 Data Loss/Leakage Prevention (DLP) Dutch-Bangla Bank Limited needs to secure communication channels, such as email, to ensure employees do not send sensitive information to unauthorized recipients. However with the increasing use of web applications and a growing mobile workforce conducting business on portable devices like laptops (with their potential for theft and loss), effective Data Leakage Prevention (DLP) solutions needs to be able to provide coverage for a wide range of communication channels. To achieve this goal, the required DLP solution must include web, email, and endpoints or laptops among the communication channels it can secure. If necessary, it must also be able to block transmission of data on these channels. Managing separate policies for each of these channels can quickly become cumbersome. The DLP solution should be able to provide policy management and reporting capabilities that administrators can easily extend to support several channels from a single policy. One of the most common drivers for deployment of the DLP solution is the need to meet regulatory compliance. The Bank will expect a solution that comes with prebuilt templates covering various regulations. The solution should also be customizable, so that the bank can tailor their built-in policy based on their specific regional or industry requirements. The solution provider is responsible for successful implementation of DLP solution in DC-1, DC-2 and DBBL’s all location (Head office, branch, fast track, mobile banking office and agent banking etc.). Also the DLP solution should be implemented as outlined in the technical specification section of this RFP.

2.2.6 Network Behavior Analysis (NBA) Dutch-Bangla Bank is looking for a Network Behavior Analysis (NBA) solution to monitor at granular level for activities occurring within the Bank’s network, at branch locations, data center, head office etc. The Bank intends to have real- time threat detection, incident responses and forensic, network segmentation, network performance monitoring features from the solution. The Bank will expect the solution that comes with prebuilt templates covering various industry recognized regulations that comply with PCI DSS, ISO 270001 etc. The solution provider is responsible for successful implementation of NBA solution in DC-1, DC-2 and DBBL’s overall IT environment.

2.2.7 Conducting Vulnerability Assessment and Penetration Testing service of the Bank’s network The Bank wishes to appoint a competent bidder for carrying out Vulnerability Assessment and Penetration Testing (VAPT) of internet facing applications and underlying infrastructure deployed at Bank’s Data Centre. Vulnerability Assessment and Penetration Testing should cover the Bank’s Information System Infrastructure which includes Networking systems, Security devices, Servers, Databases and Applications Systems accessible with public IP’s maintained at Bank’s data centers, DC-1 and DC-2. It should also include the overall Card Data Environment (CDE) as per PCI DSS v3.2 requirements. The selected bidder shall be required to independently arrive at approach and methodology, based on industry best practices and standard guidelines,

suitable for the Bank, after taking into consideration the effort estimate for completion of the same and the resource and the equipment requirements. The approach and methodology will be approved by the Bank. Internal vulnerability testing and configuration reviews are performed against an appropriately sized sample of system and network devices representative of the environment to understand if platforms and devices are hardened against industry security standard. It is explicit that penetration tester should conduct vulnerabilities assessment consulting with concerned personnel and proper permission of the Bank. Finally remediation and recommendations must be performed.

2.3 Intent of RFP  The intent of this RFP is to invite potential bidders to bid for gap assessment for PCI DSS certification and implementation of various security products.

 The potential bidders can quote for one or more groups. The proposed solution for any group should be a turnkey solution configured to support all the functionalities as described in this RFP.

 The bidder submitting the proposal for a group will be responsible for the entire implementation on a turnkey basis and will be the single point of contact for DBBL even if different component of the requirements are sourced from different vendors.

 The proposed hardware and software solution should satisfy the performance parameters and throughput requirements desired by the Bank from now to at least next 5 years without changing the proposed hardware.

 All the groups have to support and restructure, reconfigure, fix etc. in to their system with the guide line of the bidder who wins the group A: Gap analysis, remediation plan and rectification for mitigating those gaps for PCI DSS version 3.2.

 All the bidders of each group have to accommodate all the necessary requirements as well as any additional one, if required, in the time of implementation.

3. EXPERIENCE

The bidder should have adequate experience of implementation of the bidding product/solution in at least 03 Banks/Telco/ Insurance/Leasing companies in Bangladesh or abroad within last 03 years (Proper evidence need to be).

Reference Site

List of major customers of the bidding product/solution in last 03 Years and their references:

Sl. Name and Name, Brief Scope of Brief description Attach No. complete Designation, work (Project of the bidding reference Address of the Telephone, Summary) product/solution Letter Customer Fax, e-mail where the address of the Bidder can attach solution is contact person separate paper if implemented of the required. customer in column 2 1 2 3 4 5 6

(Enclose necessary documentary proof) Note: If the bidder is applying for more than one group they will have to add different table for each group. This should be in the letter head pad of the bidder and duly signed as per this format.

I/we solemnly declare that the statements made above are correct. I/We agree that any misstatement made by us, if detected later on, shall render our application unacceptable to the Bank.

(Signature) (Name & designation of Authorized Signatory) (Name & Address of the Bidder with Seal)

The following form is applicable only for the bidders who intend to bid for Group A: Gap analysis, remediation plan and rectification of gaps for PCI DSS version 3.2.

Not SL Features/Description Comply Comply

General Requirements

Bidder/ Assessor should be preferably from USA/ UK/ Europe/ 1. Australia/ Japan

The Qualified Security Assessor (QSA) employees/resources 2. involved in the PCI DSS project must be the citizen of the QSA company’s originating country

Bidder or their partners has PCI DSS project experience at 3. minimum 2 (two) years (please attach evidence)

Bidder or their partners provides PCI DSS experience at 4. minimum two ( two) organizations/companies (please attach evidence)

Bidder or their partners has experience in implementation, 5. testing and certification service (please attach evidence)

Project Team

Project Manager has experience in managing large and complex 6. projects

Bidder must provide a dedicated project manager along with 7. his detailed resume

Bidder has to provide local resource for project team with their 8. foreign partner

4. ROLL OUT PLAN AND GANTT CHART

1. The bidder will have to provide roll out plan for each of his working procedures which strictly follow the requirements of the RFP. For instance, a sample format of roll out plan is given below:

Sample format: Sl. Solution/Product Name Description Time frame No. Group A: Gap analysis, Please Specify in details Please Specify the number remediation plan and rectification with working procedure of days needed from the 1. of gaps for PCI DSS version 3.2. covering the scope date of issuance of the work-order. Group B: Procurement and Please Specify in details Please Specify the number Implementation of Security with working procedure of days needed from the 2. Information and Event covering the scope date of issuance of the Management (SIEM) solution. work-order. Group C: Procurement and Please Specify in details Please Specify the number Implementation of Directory and with working procedure of days needed from the 3. Endpoint Support Service and covering the scope date of issuance of the collection of all the information of work-order. the endpoints. Group D: Procurement and Please Specify in details Please Specify the number Implementation of Data with working procedure of days needed from the 4. Loss/Leakage Prevention (DLP) covering the scope date of issuance of the solution. work-order. Group E: Procurement and Please Specify in details Please Specify the number Implementation of Web with working procedure of days needed from the 5. Application Firewall (WAF) covering the scope date of issuance of the solution. work-order. Group F: Procurement and Please Specify in details Please Specify the number Implementation of Network with working procedure of days needed from the 6. Behavior Analysis (NBA) solution. covering the scope date of issuance of the work-order. Group G: Conducting Vulnerability Please Specify in details Please Specify the number Assessment and Penetration with working procedure of days needed from the 7. Testing service of the Bank’s covering the scope date of issuance of the network. work-order.

2. The bidder needs to provide distinct Gantt chart for all the groups he wants to bid.

Note:

1. Bidder has to mention detailed hardware and associated software specifications such as application servers, database servers and OS along with any intermediate hardware and/or software to implement the solution successfully.

2. All required software for implementing the solution will be the responsibility of the bidder which includes providing license, delivery and installation.

3. The scope of work includes but not limited to design, engineering, installation, commissioning, testing, integration, training etc. of all the products offered in the solution infrastructure.

4. Solutions offered may be stand-alone product suites or groups of integrated applications and services.

5. The bidder shall arrange inspection for functional testing as per technical specification and system performance demonstration to the Bank’s representative.

6. The bidder shall provide licenses for all the supplied software in the name of in the Bank.

7. Installation, commissioning, configuration and integration of all components of the bidding product for a particular group should be the turnkey responsibility of the respective bidder as per bidding document.

8. Bidder has to provide one month onsite support after the date of completion of the project. The completion certificate shall be issued by the Bank on successful completion of the project.

9. Any other items (software, licenses, tools etc.) not indicated in this document required to make the system fully operational will also be in the responsibility of the bidder.

10. Proper UAT document has to be shared with the Bank and all these observations and recommendations have to be added in it before doing the final UAT.

11. Hand over documents must be prepared in such a way so that detailed installation procedure and configuration parameters used during and after installation is there. The document should include full screen capture for further reference and operation.

DC-1, DC-2 and DRS COMPONENT MODEL

Centralized Primary Data Centre (DC-1), Near Data Center (DC-2) and Disaster Recovery Site (DRS) Layout.

5. REQUEST FOR PROPOSAL

5.1 Submission of Proposals

a. Sealed Proposals will be received for providing the services/solutions/products for Dutch-Bangla Bank Limited by the IT Security Division of Dutch-Bangla Bank, Dhaka until July 20, 2017 at which time they will be publicly opened.

b. Sealed Proposals must include:

i. Technical Proposal: one (1) original hard copy and one (1) electronic copy on a CD/DVD/Flash Drive in MS-Word format.

ii. Cost Proposal: one (1) original hard copy and one (1) electronic copy on a CD/DVD/Flash Drive in MS-Word format.

c. NOTE: Packages not containing the required number of copies will be rejected.

d. No proposal will be considered which is not accompanied by the attached Proposal Price Sheet and signed by the proper official of the bidder. Proposals will not be accepted by FAX or email.

e. Proposals shall be received in the office of the IT Security Division on or before the time and date specified. Proposals received after the time specified will not be considered and will be returned unopened.

f. Proposal information is restricted and not publicly available until after the award of the Contract by the IT Security Division.

5.2 Modifications or Withdrawals of Proposals

a. A proposal that is in the possession of IT Security Division may be altered by letter bearing the signature or name of the authorized person, provided it is received PRIOR to the date and time of the opening. FAX, telephone, or verbal alterations will not be accepted.

b. A proposal that is in the possession of the IT Security Division may be withdrawn by the bidder up to the time of the opening. Failure of the successful bidder to furnish the service awarded as a result of this advertisement shall eliminate the bidder from the active bidders list for a period of time as determined by the IT Security Division.

5.3 Preparation of Proposals

a. No proposal will be considered which modifies, in any manner, any of the provisions, specifications, or minimum requirements of the Request for Proposal.

b. In case of error in the extension of prices in the proposal, unit prices will govern. RFP for Gap analysis, remediation plan and rectification of gaps for PCI DSS v3.2 certification and enhancement of security infrastructure by assessing vulnerabilities and implementing SIEM, Directory and Endpoint Support Service, WAF, DLP, Network Behavior Analysis and conducting VAPT service for Dutch-Bangla Bank Limited. Page 17 of 92 DBBL/100/ITSD/Tender/2017/01

c. Bidders are expected to examine special provisions, specifications, schedules, and instructions included in this Request. Failure to do so will be at the bidder’s risk.

d. Failure to respond to Request for Proposals will be understood by the Bank to indicate a lack of interest and will result in the removal of the Bidder's name from the applicable mailing list.

5.4 Award and Contact Information a. Dutch-Bangla Bank notifies all bidders that it will affirmatively insure that minority business enterprises will be afforded full opportunity to submit proposals in response to this invitation and will not be discriminated against on the grounds of age, race, color, sex, creed, national origin, or disability.

b. The bidder, also, agrees that should this bidder be awarded a Contract that the bidder will not discriminate against any person who performs work there under because of age, race, color, sex, creed, national origin, or disability.

c. The bidder expressly warrants to the Bank that it has the ability and expertise to perform its responsibilities hereunder and in doing so shall use the highest standards of professional workmanship.

d. Dutch-Bangla Bank reserves the right to reject any or all proposals, to waive any informality or technical defect in the proposals, or to award the contract in whole or in part, if deemed to be in the best interest of the Bank to do so. The IT Security Division will award this contract to the bidder as the most responsive and responsible offer, based on criteria specified herein.

e. This Request for Proposal shall become part of the Contract and will be in effect for the duration of the Contract period.

f. The successful bidder will be required to enter into and sign a formal Contract with the Bank with reasonable adjustments acceptable to the Bank. The agreement will become a part of the Contract and will be in effect for the duration of the contract period. The contract language will control over any language contained within this RFP that conflicts with the signed and fully executed Contract.

6. GENERAL PROVISION

6.1 Independent Bidder The bidder shall function as an independent bidder for the purposes of the Contract, and shall not be considered an employee of the Bank for any purpose. The bidder shall assume sole responsibility for any debts or liabilities that may be incurred by the bidder in fulfilling the terms of the Contract, and shall be solely responsible for the payment of all local taxes which may accrue because of this Contract. Nothing in the Contract shall be interpreted as authorizing the bidder or its agents and/or employees to act as an agent or representative for or on behalf of the Bank, or to incur any obligation of any kind on behalf of the Bank. The bidder agrees that no health/hospitalization benefits, workers’ compensation and/or similar benefits available to the Bank employees will inure to the benefit of the bidder or the bidder’s agents and/or employees as a result of this Contract.

6.2 Insurance The bidder shall indemnify and save harmless the Bank, its officers, and employees from all suits, actions, or claims of any character brought because of injuries or damage received or sustained by any person, persons, or property; on account of the operations of the said bidder or on account of or in consequence of any neglect in safeguarding the work; or because of any act or omission, neglect, or misconduct of said bidder or from any claims or amounts arising or recovered under any law, ordinance, order or decree.

6.3 Laws to be Observed The bidder shall keep fully informed on all local laws, bylaws, regulations and all orders and decrees of bodies or tribunals having any jurisdiction or authority which in any manner affect those engaged or employed on the work or which in any way affect the conduct of the work. The bidder shall at all times observe and comply with all such laws, bylaws, ordinances, regulations, orders and decrees in force at the time of award. The bidder shall protect and indemnify the Bank and its representatives against any claim or liability arising from or based on the violation of any such law, bylaw, ordinance, regulation, order, or decree whether by himself or his/their employees. No extension of time or additional payment will be made for loss of time or disruption of work caused by any actions against the provider for any of the above reasons.

6.4 Assignment/Bidder  The Contract shall not be assigned by the bidder. Third party participation is authorized only as a joint venture which shall be clearly stated with details on the original proposal, signed by all parties participating. Any alterations, variations, modifications, or waivers of the provisions of this Contract shall be valid only if they have been reduced to writing, duly signed by the parties hereto and attached to the original Contract agreement.

 The bidder shall not enter into any subcontracts for any of the work contemplated under this Contract without prior written authorization of the Bank.

 The bidder shall not use the Contract, or any portion thereof, for collateral for any financial obligation without the prior written permission of the Bank.

6.5 Accountant Representative The successful bidder(s) shall appoint, by name, a company representative who shall be responsible for servicing this account. The appointed representative shall be responsible to provide the services required to insure that the account will be administered in an organized systematic manner.

6.6 Ownership of Documents/ Work Product It is agreed that all finished or unfinished documents, data, or reports, prepared by bidder under the Contract shall be considered the property of the Bank, and upon completion of the services to be performed, or upon termination of the Contract for cause, or for the convenience of the Bank, will be turned over to the Bank.

6.7 Confidentiality of Information All documents, data compilations, reports, computer programs, photographs, and any other work provided to or produced by the bidder in the performance of the Contract shall be kept confidential by the bidder unless written permission is granted by the Bank for its release.

7. GENERAL TERMS AND CONDITION

a) The participant company must submit the offer in two envelope system. One envelope will contain the technical offer and the other envelope will contain the financial offer. The two envelopes must be covered in a large envelope. All the envelopes will contain the full name and address of the participant company. The name, address and telephone number of the contact person should be mentioned in the forwarding letter submitted with the technical offer. b) The participating vendors must offer all the items in a particular group of the RFP. Partial offer for a particular group of the RFP will not be accepted. c) Sealed proposals have to be submitted to the Head of IT Security Division of the bank on or before July 20, 2017 by 3.00 p.m. The technical offers will be opened at 3:15 p.m. on the same day in presence of bidders, if any. The financial offer will be opened later on. The evaluation of the technical offers will also be made later on. d) All the pages of the tender schedule as well as all the offered documents should be duly signed by the authority of the bidder. e) Proper documents and data sheet have to be provided for indicating all the specification is present in the offered solution/product/service which is stated in the required technical specifications. f) 1% (One percent) of the quoted price to be submitted with the offer through PO/BG in favor of "Dutch-Bangla Bank Limited" as earnest money for the period of one year. If successful supplier fails to deliver, install and commission the software within the stipulated time, the earnest money will be forfeited. The pay order/ bank guarantee will have to be put in the financial offer. Validity of the Pay Order/ Bank Guarantee should not be less than one year. g) The earnest money of the awarded vendor will be released after successful delivery of service or installation, configuration and operation of the product/solution. However the earnest money of other bidders will be released after evaluation & decision. h) All quoted price should include delivery, installation, testing and training cost and VAT, tax etc. if any. i) Post live support and maintenance should be provided for a period of one year after commissioning. No additional cost will be provided in this period. j) Should provide unrestricted license for DBBL DC-1 and DC-2, all branches and offices and for any number of users. k) Warranty period will start after delivery and successful operation of the products/solutions. The AMC will start after the end of the warranty period. Both the warranty and AMC should be backed by a similar back-to-back warranty/ AMC between the bidder and the OEM for DBBL project, a draft copy of which should be submitted to the bank along with the offer.

l) In case of any software or hardware problem, the Bidder should attend the problem within 2 hours and the problem should be resolved by 6-12 hours max. m) The successful company must submit original technical and user manuals of the software at the time of delivery of the software to the Bank. n) Photocopy of all the relevant documents should be submitted with the offer including:  Up to date Trade License  Up to date GIR/TIN certificate  Proof of experience as desired in the earlier section of this schedule o) The offers should have validity for at least 6 (six) months. p) The bidder should have its office at Dhaka, Bangladesh for local onsite support. q) All the prices should be mentioned in BDT. The payment will be made in BDT as well. r) The authority reserves the right to relax, change or drop any of the terms and conditions of the schedule without any further notice. s) The Bank shall not be under any obligation to accept the lowest quotation. t) The Bank authority reserves the right to accept or reject any or all, in part or full offers without assigning any reason. u) The terms of payment will be as under:  50% of the total value on the signing of the agreement against Bank Guarantee of the same amount with a validity of one year. Bank Guarantee will be released after successful operation, which includes delivery and commissioning. Otherwise, 50% may be paid after UAT.  30% after go live.  20% after 3 (three) months of successful go live.

8. SPECIAL PROVISIONS INFORMATION

Proposals must be delivered to the IT Security Division in a sealed envelope or package within specified date and time.

DELIVER PROPOSAL TO:

IT SECURITY DIVISION K.B. Square (5th Floor) 736, Satmasjid Road Dhanmondi, Dhaka-1209 Bangladesh

NO PROPOSAL WILL BE ACCEPTED AFTER THE SPECIFIED DATE AND TIME.

NOTE: Envelope not containing the required number of copies will be rejected. There will be no exception.

8.1 Bank Parties:

 This Request for Proposal (RFP) is issued by the Dutch-Bangla Bank Ltd. IT Security Division.

 Throughout this document and others in connection with this project, various references are made, or will be made to “the Bank". Generally, whenever this reference appears, the term “the Bank” incorporates Dutch-Bangla Bank Ltd.

 It should be understood that the Bank’s Head of IT Security Division is empowered to be the signatory on all contracts, agreements, or modifications pertaining to this project. Such agreements, etc., not bearing this signature or that of a designee are invalid insofar as contractual relations between the Bank and bidder are concerned.

 The name and address of the Bank parties are:

Sk. Shakil Ahmed Head of IT Security Division K.B. Square (5th Floor) 736, Satmasjid Road Dhanmondi, Dhaka-1209 Bangladesh E-mail: [email protected]

8.2 Content and Procurement Points of Contact:

 The Bank’s IT Security Division is the primary point of contact from the date of release of the RFP until the contract is fully executed and signed. Any attempt to contact any employee of the Bank, other than those named below, or their named designee, regarding this procurement may cause rejection of any proposal submitted by that party.

 Questions regarding the content of this RFP as they relate to scope, goals and objectives must be submitted in writing (email preferred) to:

Sk. Shakil Ahmed Head of IT Security Division K.B. Square (5th Floor) 736, Satmasjid Road Dhanmondi, Dhaka-1209 Bangladesh E-mail: [email protected]

And/or

Shahidul Islam Sagar Deputy Head of IT Security Division K.B. Square (5th Floor) 736, Satmasjid Road Dhanmondi, Dhaka-1209 Bangladesh E-mail: [email protected]

 Written questions related to the procurement process must be submitted to the Bank representative responsible for this RFP:

Sk. Shakil Ahmed Head of IT Security Division K.B. Square (5th Floor) 736, Satmasjid Road Dhanmondi, Dhaka-1209 Bangladesh E-mail: [email protected]

And/or RFP for Gap analysis, remediation plan and rectification of gaps for PCI DSS v3.2 certification and enhancement of security infrastructure by assessing vulnerabilities and implementing SIEM, Directory and Endpoint Support Service, WAF, DLP, Network Behavior Analysis and conducting VAPT service for Dutch-Bangla Bank Limited. Page 24 of 92 DBBL/100/ITSD/Tender/2017/01

Shahidul Islam Sagar Deputy Head of IT Security Division K.B. Square (5th Floor) 736, Satmasjid Road Dhanmondi, Dhaka-1209 Bangladesh E-mail: [email protected]

 Written questions regarding RFP material or the procurement process shall be submitted by hard copy in the above address.

 Written responses will be sent to all parties. Responses will not identify the bidder that submitted the question. All parties should clearly understand that only the written answers issued by the Bank are the official position on an issue, and these answers shall become part of the RFP and, by incorporating any subsequent contact.

8.3 Restriction on Communications with the Bank Employees:  From the issuance date of this RFP until a bidder is selected and the selection is announced, bidders are not allowed to communicate with the Bank employees associated with this project except:

 The procurement section;  Bank representative during pre-proposal conference and oral presentations or in response to question during the selection process;  Via written questions.

 For violation of this provision, the Bank reserves the right to reject the proposal.

8.4 Proposal Response Sequential Order: Bidders are required to keep their proposal response in the same sequential order that is referenced in this RFP.

8.5 Beginning Work: The successful bidder must not commence any work that could be billed until a valid contract has been executed. The Bank will not pay for any work by the bidder prior to execution of the contract.

8.6 Cost of Preparing Proposals: All costs incurred for the preparation of this proposal and for other procurement- related activities are solely the responsibility of the bidder. The Bank will not provide reimbursement for such costs.

8.7 Proposal Evaluation: All bidders must meet the minimum qualifications set forth in the Proposal Requirements and Review Process in order to be considered and ranked pursuant to the criteria set forth in this RFP.

8.8 Risks and Liability: By submitting a proposal, a bidder specifically assumes any and all risks and liability associated with information marked confidential in the proposal and the release of the information.

8.9 Addendum to the RFP: The Bank reserves the right to amend the RFP prior to the date for proposal submission. Addendums will be sent to all bidders that are on the RFP mailing list.

8.10 Use of Sub-bidders: The prime bidder shall be wholly responsible for performance of the entire contract whether or not sub-bidders are used. In any event, whether there are subcontracting or joint venture arrangements proposed or not, a prime bidder shall be designated in the proposal and the prime bidder shall sign any resulting contract award. The Bank reserves the right to reject any named sub-bidder or any proposed sub-bidder relationship. The bidder shall not enter into any subcontracts for any of the work proposed under the contract without prior written acceptance from the Bank.

8.11 Misrepresentation of Information: Misrepresentation of a bidder’s status, experience, or capability in the proposal may result in disqualification of that bidder from the selection process. Discovery of litigation or investigations in a similar area of endeavor may, at the discretion of the Bank and after consultation with the Procurement Services Section, preclude the bidder from the selection process.

8.12 Disposition of Proposals: All material submitted becomes the property of the Bank, which is under no obligation to return any of the material submitted in response to the RFP. The successful proposal shall be incorporated into the resulting contract and shall be a matter of public record following the award of the contract.

8.13 Performance Requirements and Nonperformance Penalties: It is the normal practice of the Bank to deduct 10,000 (ten thousand) Taka per day from the total bill as penalty if the bidder should miss providing the deliverables within the stated deadlines, inability to meet the milestones or performance requirements as stated in the RFP/ Work Order, or for not providing acceptable deliverables. However, the penalty could be waived if the bidder can submit proper reason which satisfies the Bank and if the deliverables have been successfully completed and accepted by the Bank.

Payments of invoices will be based upon the bidder meeting the stated deadlines and upon the Bank’s written acceptance of the deliverables. Should the bidder fail to comply with the provisions of the contract, payment for portions of the contract will be withheld until such time as the contract terms have been implemented. Administrative, contractual, and/or legal remedies as determined by the Bank will be implemented if it appears the bidder has breached or defaulted on the contract.

8.14 Bidder Relationship with the Bank: Bidder staff will have an ongoing relationship with the Bank staff that is based on trust, confidentiality, objectivity, and integrity. The bidder will be expected to operate at all times in the Bank’s best interests and in a straightforward, trustworthy, and professional manner.

9. PROPOSAL SUBMISSION REQUIREMENTS-SEQUENTIAL ORDER

9.1 Technical Proposal – Format and Contents

Proposals must be submitted in two major sections: The Technical Proposal and the Financial Proposal. The bidder is responsible for submitting a separate section, within the proposal, in response to the following items. Omission of this section or any item within this section may result in the proposal being eliminated.

 Appropriate Copies:

 Technical Proposal: one (1) original hard copy, one (1) electronic copy on a CD/DVD/Flash Drive in MS-Word format.

 The bidder shall, at a minimum, address the following points:

 Table of Contents: The Table of Contents must include all items listed in this section.

 Executive Summary: The Executive Summary will condense and highlight the contents of the technical proposal in such a way as to provide the Bank with a broad understanding of the bidder’s qualifications and approach to meeting the requirements of the RFP.

 Bidder’s Background and Experience: Company overview – the bidder must include a company summary including: a) Company history, b) Office location(s), c) Company size, d) Audited financial statements, and e) Statement of technical areas of expertise. The bidder must be able to substantiate to the satisfaction of the IT Security Division that the bidder has sufficient resources to complete the project successfully within the time requirements.

 Résumés: The bidder must include brief résumés for personnel that will be working on the project, if awarded the contract. The résumés must clearly identify expertise in the functional areas listed in Annexure-A: Technical Specification. Specialized training courses will not be acceptable for demonstration of expertise in the required areas. Proven work experience combined with related education will be means of substantiating expertise.

 Single Point of Contact: The bidder must identify a single point of contact for all contract management activities. The bidder’s Project Manager’s name and resume must be submitted with the proposal. The successful bidder must not change the Project Manager without written Bank approval.

 Bidder’s Project Work Plan: The bidder must submit a work plan that meets the needs of the RFP and indicates a thorough understanding of the scope of the work as outlined in Section 2 of this RFP. The bidder must identify realistic person hours of effort and responsibilities for the deliverable and each work activity in a Gantt chart format.

 Project Management Plan: The proposal must contain a comprehensive and practical description of the bidder’s plans for project management and control mechanisms, including staff organizational structure, progress reporting, major decision-making, sign-off procedures, and internal control procedures. The bidder must also indicate flexibility in meeting changes in program requirements and coping with problems.

 Project Delays: Bidder must also describe how project delays will be addressed should they occur. This should include assurances that sufficient resources and knowledgeable, experienced staff are available to meet any of the project schedules.

 Contract Exceptions: Bidder must state agreement with all general provisions. Bidder must furnish any exceptions to the provisions included in the Contract Terms and Conditions be noted in the Executive Summary. Identifying exceptions to the Contract Terms and Conditions does not bind the Bank in any way to accept such changes, but only ensures that discussion and resolution of their acceptance may be deferred until after tentative award is made.

 Staffing and Project Organization: An Organization Chart must be included with all proposed personnel, including the supervisor level, functional responsibilities, key personnel, and other staff members who will be involved in the project.

 Bidder Check List: The bidder shall submit a checklist in which the bidder shall evaluate their existing offering compared with the RFP mandatory and optional requirements.

9.2 Financial Proposal – Format and Content:

Important: All cost proposals must be submitted under separate cover in a sealed envelope.

 Proposal Price Sheet

Financial Proposal: one (1) original hard copy, one (1) electronic copy on a CD/DVD/Flash Drive in MS-Word format.

10. EVALUATION METHODOLOGY

10.1 Overview:

Evaluation Committees:

 IT Security Division will conduct a comprehensive, fair, and impartial evaluation of proposals received in response to this RFP. Proposals will be evaluated by the Technical Committee. The Technical Committee is made up of members representing the project subject expertise from the Bank. The Purchase Committee is made up of members representing the Bank. The Technical Committee will review and score (if needed) all proposals and will make the final recommendation to the Purchase Committee.

 The Board of Directors of the Bank will receive recommendations from the purchase committee and make the final decision.

10.2 Compliance With Mandatory Requirements:

To be considered responsive, a submitted proposal must meet the minimum and mandatory requirements defined in this RFP. The minimum requirements are intended to ensure that evaluation of the Technical Proposal can proceed and that the Bidder agrees to perform all responsibilities within the RFP and the Contract Terms and Conditions.

10.3 Technical Scoring and Ranking:

The Bank’s approach to contract performance will be based upon the bidder’s response to the following:

 Approach to meeting the mandatory requirements and specifications, as described in the RFP.

 Approach in addressing the goals and objectives specified in this RFP.

 Approach to a comprehensive and practical plan for project management and control mechanisms, including progress reporting, major decision-making, sign- off procedures and internal control procedures.

 Approach to how project delays will be addressed, should they occur.

 Approach of assuring sufficient resources and knowledgeable or experienced staff for meeting deadlines and compensating delays.

 Approach to contract responsibilities.

 Approach to resolving disputes or disagreements in contract or work requirements.

 Approach to meeting deliverables and milestones deadlines.

 Approach to change orders or modifications to work in progress.

 Approach to oral presentation, if required. The evaluation team will determine, after receipt of the written proposals, whether selected bidders will be requested to make any oral presentation based on their proposal. However, the evaluation team reserves the right to make an award without requesting an Oral Presentation from any bidder. All oral presentation costs will be the responsibility of the bidder.

10.4 Financial Scoring and Ranking:

Financial Proposal shall be under separate cover in a sealed envelope for each group. The cost will be presented as key deliverables in the form of individual cost and a project total (sum of the deliverables). The total project cost must include all the required components of a group listed in Annexure-A. All references in the Technical Proposal should be included within the cost quoted in the Financial Proposal – unless otherwise specifically stated.

10.5 Final Rankings of Proposals:

The Bank will be the sole authority with respect to the evaluation of proposals. The bidder which best meets the conditions of each of the individual criterion will be awarded the highest preference for that specific criterion. Proposals that provide a complete solution meeting all mandatory requirements and include optional items will be given preference during evaluations. The balance of the bidders will be rated based on their evaluated preference.

The Bank reserves the right to accept an entire proposal, a partial proposal and a single component of a proposal or no proposal at all.

11. PAYMENT TERMS

11.1 Time Schedule/ Invoicing

 50% of the total payment will be paid after

 On the signing of the agreement against Bank Guarantee of the same amount with a validity of one year. Bank Guarantee will be released after successful operation, which includes delivery and commissioning.  Otherwise, 50% may be paid after UAT.

 30% will be paid after

 15 days of going live

 20% will be paid after

 Successfully operating for 3 months of successful go live.

 In case of failure to deliver the necessary Hardware and software in specific time or failure to meet a given deadline, 10,000 BDT will be deducted for each day from the payment until all the deliverables are handed over to the Bank representative or the deal line is met. However this penalty can be waived upon receiving satisfactory explanation by the Bank representatives.

 The vendor is required to submit weekly status reports outlining the project’s progress and compliance with milestones and delivery dates. Each report will be verified by the Bank’s representative that each of milestones and delivery dates are in line with the RFP and contract requirements have been met to date.

12. PROPOSAL PRICE SHEET AND SIGNATURE PAGE

FINANCIAL STATEMENT (To be submitted on the pad of the bidder)

The undersigned agrees to provide a complete solution and service to the Dutch-Bangla Bank Limited in accordance with this Request for Proposal’s General Provisions, General Terms and Conditions and Financial Offer (Proposal Price Sheet).

12.1 By Submission of a Proposal, The Bidder Certifies:

12.1.1 Prices in this proposal have been arrived at independently, without consultation, communication or agreement for the purpose of restricting competition. 12.1.2 No attempt has been made nor will be by the bidder to induce any other person or bidder to submit a proposal for the purpose of restricting competition. 12.1.3 The person signing this proposal certifies that he/she is authorized to represent the company and is legally responsible for the decision as to the price and supporting documentation provided as a result of this advertisement. 12.1.4 Bidder will comply with all Government regulations, policies, guidelines, and requirements. 12.1.5 Prices in this proposal have not been knowingly disclosed by the bidder and will not be prior to award to any other bidder.

12.2 General Information:

Bidder Name______Phone ( )______FAX ( )______Mailing Address______City______Division______Zip______TAX Identification Number ______

12.3 Ownership and Control:

Bidder's Legal Structure: ______Sole Proprietorship ______General ______Partnership ______Corporation ______Limited Partnership ______Limited Liability ______Other______

If bidder is a sole proprietorship, list:

Bidder Name______

Phone ( ) ______FAX ( )______

Mailing Address______

City______Division______Zip______

TAX Identification Number ______

Beginning date as owner of sole proprietorship______

Provide the names of all individuals authorized to sign for the bidder:

NAME (printed or typed) TITLE ______

VERIFICATION I certify under penalty of perjury, that I am a responsible official (as identified above) for the business entity described above as bidder, that I have personally examined and am familiar with the information submitted in this disclosure and all attachments, and that the information is true, accurate, and complete. I am aware that there are significant penalties for submitting false information, including criminal sanctions which can lead to imposition of a fine.

______(Signature) (Date)

(Name and Title) (Typed or Printed)

Financial Offer

1. Name of the Company : 2. Quoted price :

A. Per year AMC (% of one-time Serial Unit cost)-including Items* Qty Total Price No Price hardware, software, subscription, support etc. 1. Gap analysis, remediation plan and rectification of gaps for PCI DSS version 3.2 2. SIEM 3. Directory and Endpoint Support Service 4. DLP 5. WAF 6. Network Behavior Analysis 7. Vulnerability Assessment and Penetration Testing of the Bank Sub Total

*The full specification of the item is as per Technical Offer.

B. Implementation Cost : ……………………………………… C. Miscellaneous (if any) : ………………………………………

Grand total for 1st 03 (three) years (A+B+C):

______(Signature) (Date)

______(Name and Title) (Typed or Printed)

ANNEXURE A: TECHNICAL SPECIFICATION

TECHNICAL SPECIFICATION

The detailed functional specifications for the Gap Analysis, remediation and rectification of gaps for PCI DSS v3.2 certification, Security Information and Event Management (SIEM), Directory and Endpoint Support Service, Data Loss/Leakage Prevention (DLP) and Web Application Firewall (WAF), Network Behavior analysis and Vulnerability Assessment and Penetration Testing service of the Bank’s network are given hereunder. All the requirements are mandatory. Bidder shall indicate the availability of each requirement as a standard product (S) in the respective column.

All the functionalities are mandatory and should be available in the offered solution as standard product. In case, any of these are not offered as standard product, the bid may be made non- responsive.

1.1 Gap analysis, remediation plan and rectification of gaps, vulnerability assessments and penetration testing for PCI DSS certification v3.2:

This RFP already introduced the locations of the sites which are placed under the scope of gap analysis for PCI DSS v3.2. The bidder will focus on the 12 requirements indicated in the PCI DSS v3.2 and should consider performing all the activities during gap analysis.

During gap analysis the bidder should include below mentioned banking locations as well as operations which are storing, processing and/or transmitting card holder data by the bank for more granular level of gap assessment:

 ATM Acquiring & Authorization  Branch Operation  Call Center  Card Production, Personalization & Issuance  Data Centers (DC-1 and DC-2)  Fraud & Risk Management  Internet Banking  Merchant Acquiring & Authorization  Core Banking  Mobile Banking  Online Payment Gateway  Payment Switching  POS Acquiring & Authorization  Postage/communication of cards and PIN  Reconciliation, Chargeback  Branches Operations  Settlement  Transaction Processing &Authorization etc  Brand structure and operational differences  Payment channels/CHD flows  Operational Security Services  Applications including development  Infrastructure including AD/domain architecture  Desktop environment  Telephony, Email System, SMS  Service Providers

The following systems are involved in storing, processing or transmitting of card holder data (CHD) and the bidder should consider these systems but not limited to the scope of the gap analysis of PCI DSS v3.2:

 Internet Banking Application  StarCard Debit Card Management  Card Support Solution (CSS)  E-com Application  Transaction Monitoring

 VISA/MasterCard Packages  IST Switching System  Real Time Processing System (RTPS)  Card Management System (CMS)  BDMS/CDMS  Card Security Module (CSM)  Host Security Module (HSM)  Clearing Module (CL2)  Tech Trex (P3 software)  Personalization machine: Datacard MX2100 (Contact chip personalization Module)  E-commerce System  POS Merchant Payment  Master Card File Express  VISA Edit Package

The bidder shall perform all necessary actions which will checked by the Qualified Security Assessors (QSA) to find out compliance against PCI DSS requirements as well validating compliance against PCI DSS requirements for network components, security devices, servers, applications, business processes etc.

To find out compliance against PCI DSS requirements the bidder should analyze the Card "Transaction Environment" in the Bank and Payment Gateway. With thorough assessment the bidder should provide document identifying the gaps in the bank’s systems and processes as per as the PCI DSS requirement. Also the bidder should provide the list of the compliant and non compliant elements of the banks which they find during their assessment and should provide a classification of the non compliant elements on the basis of priority. All the findings of gap assessment shall properly be delivered to the bank with a suitable comprehensive document and also take the responsibility to remediate those gaps by themselves with the help of DBBL team.

The bidder should provide a remediation plan after providing the gap assessment report. In order to provide remediation plan the bidder has to conduct periodic meetings with the Bank to formulate a Gap Remediation Plan. The plan should be detailed with low level implementation steps. The bidder should recommend what policies /procedures the bank has to modify or formulate to meet the PCI DSS requirements.

The bidder should also perform both internal and external vulnerability scan to ensure that card holder environment meets current security standards.

The following table depicts the working procedure of Gap analysis, remediation and rectification of gaps for PCI DSS v3.2:

Bidders Response Sl Specification Complied Detailed no (Yes/No) Explanation 1. Pre-Assessment requirements I. Bidder should identify the people, processes, and technologies that are considered in-scope II. Bidder should provide a detailed checklist of required documentation for the purposes of the engagement 2. On-site Activities I. Bidder should conduct interviews with key DBBL stakeholders II. Bidder should conduct reviews of DBBL’s existing policies and procedures III. Bidder should conduct assessments of the following:  Network architecture, firewall, and routers  Servers  Applications  Card Holder Data (CHD) Environment  Physical security  Third-party legal contracts  Miscellaneous (if any) IV. Bidder should analyze compliance status V. Bidder should evaluate compensating controls 3. Reporting and Remediation Plan for Compliance I. Bidder should notify DBBL if a passing Report on Compliance (ROC) can be issued, or if remediation is required :  Provide DBBL with an Open Issues Report containing details of specific non-compliance issues and the steps that must be taken to address any PCI DSS non-compliance issues (requiring remediation); issues may include systems configuration settings that must be changed, missing documentation, and/or missing processes and procedures  Review remediation and provide DBBL with a PCI report on compliance upon DBBL’s completion of remediation of items on the Open Issues Report, including:  Compliance status of all applicable PCI requirements and control validation testing information  Contact information and report date  Executive summary  Description of scope of work and approach RFP for Gap analysis, remediation plan and rectification of gaps for PCI DSS v3.2 certification and enhancement of security infrastructure by assessing vulnerabilities and implementing SIEM, Directory and Endpoint Support Service, WAF, DLP, Network Behavior Analysis and conducting VAPT service for Dutch-Bangla Bank Limited. Page 40 of 92 DBBL/100/ITSD/Tender/2017/01

 Details of reviewed environment  Quarterly scan results  Findings and observations  Applicable appendices 4. PCI Awareness Training-  Training at Dhaka for 15 person 5. Specifications of PCI DSS Compliance Management System  Web based Client-Server application to maintain and control PCI DSS compliance. The application must be installed on Bank site (not on cloud)  PCI DSS v3.2 Requirements and Testing Procedures  Support migration of process to application with training and handover, in DBBL premises  Effective mapping of documentation to each PCI DSS requirement, with upload and version change control feature  Traffic light compliance status indicator on each requirement, with comment boxes  Analytics dashboard for overview of compliance with drill down capability  Compliance workflow automation, with procedural email alerts and manager escalation feature  Make maintenance support available for customization and updates in PCI DSS v3.2 standard

1.2 Security Information and Event Management (SIEM):

Bidders Response Sl Specification Description Complied Detailed no (Yes/No) Explanation 1 General Requirements Current solution must support at least <100,000 EPS> and must be scalable at least 25% without any additional H/W requirement. Real time correlation logs to be retained online for one year placed i. Sizing in both DC-1 and DC-2. Raw Logs to be retained for compliance and audit purpose for seven years. Correlation engine must be in both the DC-1 and DC- 2. Quoted product must have flexible deployment methodology i.e. appliance or software based on physical/virtual environment. The solution should be deployed in mirror at DC-1 and DC-2. So Deployment ii. all the events/logs should be stored Methodology synchronously in both locations DC-1 and DC-2. The hardware should be identical in both the locations and required numbers of licenses have to be quote from day one. Quoted product must be capable of collection of logs from any IT devices, security, software, servers and network Log collection iii. devices either out-of-box or through and Parsing parsing. Parsing tool kit must be bundled along so there is no future cost of getting parsers developed. The vendor’s solution must be able to iv. Storage store log data locally on disk or provide Flexibility log storage through DAS/NAS/SAN integration. 2 Automated Output System The vendor's product must provide an agent-less solution that can automatically scan Active Directory (AD) and the Log Collection i. network for the list of servers to be Automation monitored and will automatically accept events and start to monitor devices without any administrator intervention.

Bidders Response Sl Specification Description Complied Detailed no (Yes/No) Explanation The solution must provide a log management solution that would require Log very little post-deployment effort for ii. Management tasks such as introducing new event Automation sources, managing retention policies and archiving of log data. The vendor’s product must provide the ability to start analyzing and correlating SIEM Analysis activity out-of-the-box. The product must iii. Automation assist security analysts by reducing false- positives automatically without configuring any rules or filters to do so. The vendor’s product must provide a SIEM solution that can initiate workflow that will automatically open tickets either SIEM Workflow iv. locally or remotely and assign the tickets Automation to the appropriate team members while maintaining a complete audit trail for the incident handling process. 3 Log / Event Collection and Management The vendor's product must support for open log management standard such as Common Event Format suggested by NIST Universal i. 800-92 standard that improves the Logging Format interoperability of security-related information from various security and network devices and applications. The vendor's product must provide an Agent less agent less approach to collecting security Event logging from Domain Controller as ii. Collection from opposed to having an agent-based to Domain avoid any potential complication and Controllers performance issue that may arise. The vendor’s product must collect logs in a distributed manner, offloading the Distributed processing requirements of the log iii. Event management system for tasks such as Processing filtering, aggregation, compression and encryption. The vendor’s product must provide Secure iv. encrypted transmission of log data to the Transport log management system. The vendor’s product must provide some Transaction v. mechanism that guarantees delivery of Assurance events to the log management system

Bidders Response Sl Specification Description Complied Detailed no (Yes/No) Explanation and that no events will get lost if the log management system is unavailable.

The vendor’s product must provide Collection High- vi. options for log collection high-availability Availability from day one in both the DC-1 and DC-2. The distributed collection mechanism should maintain a heart-beat with the central log management system and provide a configurable amount of local cache. In the event of a communication failure with the centralized log vii. Caching management system, no event data should be lost and when the communication with the log management system resumes, all cached event data should be sent immediately along with real-time event data. This ensures no event data is lost. The distributed collection mechanism must provide inline options to reduce event data at the source by filtering out viii. Event Filtering unnecessary event data. Filtering must be simple string-based or regular expressions and must delete the event data before it is processed. The distributed collection mechanism must provide a 10:1 compression or even ix. Compression better if possible ratio for all transmitted data to provide further bandwidth conservation. The vendor solution must not, under any No Events are circumstances, drop incoming events. Dropped This is essential to ensure During Spikes, x. compliance/audit integrity and preserve Even If the necessary data to detect and mitigate License Has threats during an attack or other Been Exceeded unforeseen spikes in event volumes. The collection mechanism must be able Static or to perform static or dynamic field Xi. dynamic field mapping upon collection for data mapping enrichment.

Bidders Response Sl Specification Description Complied Detailed no (Yes/No) Explanation The log collection mechanism must support the option of collecting raw xii. Raw Event Data event data using Syslog, FTP, SCP, etc. to ensure original audit quality data is available for forensics. The log collection mechanism must be able to integrate with a Windows Domain Windows Event in an agent-less fashion and collect the xiii. Logs event logs from multiple systems simultaneously without requiring any agents to be installed on the end devices. The collection mechanism must be able Simultaneous to support event forwarding to multiple Event destinations (i.e. flat file - csv, normalised xiv. Forwarding to syslog, encrypted syslog destinations etc) Multiple simultaneously ie. All the events have to Destinations be forwarded to DC-1 and Dc-2 appliance, physical and virtual environment. 4 Log Aggregation and Normalization The distributed collection mechanism must provide transaction assurance whereby high priority log events can be Event prioritized and sent immediately to the i. Prioritization log management engine for analysis. This is especially important in low bandwidth sites where batching or queuing is enabled. The distributed collection mechanism must provide inline options to reduce event data at the source by aggregating Event ii. event data. Aggregation must be flexible Aggregation in which normalized fields can be aggregated and provide the ability to aggregate in batches or time windows. The distributed collection software must be capable of providing a mechanism for Time correcting timestamps from devices that iii. Correction are not properly configured with NTP, while preserving the original device time for litigation purposes. The collection mechanism must provide an option to enable, disable the DNS iv. DNS Resolution resolution of IP Addresses and Host names received.

Bidders Response Sl Specification Description Complied Detailed no (Yes/No) Explanation The vendor must provide a tool or facility which allows production event data to be v. Event Replay exported and replayed into the system for testing and content creation. The collection mechanism must have in- Event State built function/feature to be able to vi. Pointer maintain the last state/pointer after collecting from log sources. 5 Log Archival The log management system must Scheduled provide a simple interface to schedule i. Archive the compression and archiving of log data to a NAS system. The log management system must integrate with existing SAN/NAS Storage ii. environment for storing log archives in a Archiving secure, easily retrievable manner. Logs must easily be restored for investigations. The log management system must iii. Manual Archive provide a simple interface to manually archiving log data to a SAN/NAS system. The log management system must provide a simple interface to manually iv. Archive Restore restore log data from a SAN/NAS system back to the log management system for historical analysis and reporting. 6 Correlation-Analysis and Workflow The vendor's correlation engine must provide various types of rule processing for rule creation so as to improve on the Correlation correlation performance. For example, i. Rule Types lightweight rule for populating the count of user login in the background and pre- persistence rule to enrich the context of the normalized event. The vendor's correlation engine shall have an in-built dashboard for displaying Correlation the rule statistics, such as the current Rule ii. state, memory size used per rule, partial Performance matches count and the corresponding Statistics number of correlation events triggered etc.

Bidders Response Sl Specification Description Complied Detailed no (Yes/No) Explanation The vendor's correlation engine must perform the evaluation of the events Correlation through in-memory correlation rather iii. Engine than query-based where the resulting Capability correlation event can be used to automate the incident detection and workflow process. The vendor's correlation engine must provide many correlation rules out-of- the-box and be able to support a minimal Correlation iv. 75-200 correlation rules activated for Rules real-time monitoring, while still supporting multiple concurrent user logins for daily security operations. Automatically The vendor's correlation engine must Disable include a built-in function to Excessive automatically disable any correlation v. Triggering rule(s) that are causing excessive firing of Correlation correlation rules to avoid performance Rules degradation to the system. The vendor's product must be capable of correlating activity across multiple devices out-of-the-box to detect Cross-Device authentication failures, perimeter vi. Correlation security, worm outbreaks and operational events in real-time without the need to specify particular device types. The vendor's solution must provide the ability to correlate DHCP, VPN and Active Directory events to provide session Session vii. tracking for every user in the enterprise. Correlation This is essential for pinpointing who was using a particular workstation historically during an incident investigation. The vendor's product must provide the ability to monitor activity between Geo-Spatial multiple geographical locations and viii. Location calculate distances, identify countries of Correlation concern and be able to provide country information and GPS coordinates for every event. The vendor's product must provide the Asset ability to import context and keep an ix. Intelligence inventory of all data as it relates to assets. This includes hostname, IP RFP for Gap analysis, remediation plan and rectification of gaps for PCI DSS v3.2 certification and enhancement of security infrastructure by assessing vulnerabilities and implementing SIEM, Directory and Endpoint Support Service, WAF, DLP, Network Behavior Analysis and conducting VAPT service for Dutch-Bangla Bank Limited. Page 47 of 92 DBBL/100/ITSD/Tender/2017/01

Bidders Response Sl Specification Description Complied Detailed no (Yes/No) Explanation address, MAC, location, business purpose, owner, vulnerability data, exemptions, compliance, criticality and other business related data. The asset inventory must have an automated refresh function that allows customers to integrate with vulnerability scanners or CMDB systems to keep asset information up to date.

The vendor's product must provide a mechanism to logically segregate data by business role, department, domain or Business customer. Additionally, the system must x. Intelligence make it possible to distinguish event data that pertains to different business verticals, such as financial or HR transactions. The vendor's product must allow the ability to define conditional or variable statements to derive additional Conditional information from "hard" event data to xi. Analysis provide dynamic context during correlation and reporting. This conditional analysis must be globally available throughout the system. The vendor's product must provide the ability to aggregate and suppress alerting Alert xii. with granular options and use conditional Thresholds logic to determine if an alert should be generated. The vendor's product must be capable of Historical xiii. monitoring attack history against critical Correlation asset or by particular users The vendor must provide a solution that Re-Usable allows customers to create objects such xiv. Content as filters or search queries that are reusable throughout the system 7 Centralized Event/ Reports/ Incident Management The management software must provide a web interface used for 100% of the Administrative administrative tasks including initial i. Interface configuration, updates, upgrades, patches, backups, restores, health monitoring, user management and all

Bidders Response Sl Specification Description Complied Detailed no (Yes/No) Explanation other tasks. The management software must be able Enhanced to manage the health of the other SIEM ii. Health nodes with the capabilities of customizing Monitoring threshold alert for notifications The vendor must provide the solution to allow the creation and management of Configuration node configurations, and synchronization iii. Management (pushing) of configurations across multiple nodes within the SIEM environment The management software must be able Subscription to verify if the subscribed node(s) is and iv. updated with the latest configuration Compliance values from the provider for compliance Checks check validation The vendor's solution must provide an intuitive reporting interface that can v. Report Creation leverage existing reports or the creation of new reports that does not require complex SQL queries. The vendor's solution must provide a level of confidence that reporting will continue to work and not have to be modified if a particular technology, such vi. Future Proofing as a Firewall or IDS product, is replaced with a newer product or vendor. The reports should continue to run and include the new technology into the report criteria. The vendor's system must have a mechanism to collect meta-data used by Ad hoc Report reports that track information over long vii. Performance periods of time so that running these reports ad hoc does not take considerably longer than any other reports. The vendor's product must provide the ability to schedule reports to run hourly, Report viii. daily, weekly or monthly. There must be Scheduling numerous output formats and delivery options for scheduled reports. The vendor's solution must provide the Customizable framework to create custom visual ix. Dashboards displays for any business group using customer provided images and

Bidders Response Sl Specification Description Complied Detailed no (Yes/No) Explanation backgrounds to support security operations, business workflow, risk management and branding use cases from day one. The vendor's product must provide the ability to synchronize its resource contents (i.e. rules, dashboards, reports, Content x. filters, and etc) automatically across Management multiple instances of the product, to support multi-instance/high-event-rate deployments. 8 Advanced Use Cases The vendor's solution must provide value in assisting in adhering to audit Compliance i. requirements, alerting of non-compliance Automation and providing necessary reports that can be used during an audit The vendor's solution must be capable of collecting log data from physical access devices such as card readers, biometrics and security cameras and correlate this Physical / information with logical network and ii. Logical security devices to detect such patterns Convergence as building access after-hours by bidders or users logged in through VPN and physically accessing the building within the same time period. The vendor's product must provide the ability to monitor user network and User Activity iii. application activity to create baselines Baseline and then use these baselines to identify anomalous user behavior. The vendor's product must be capable of Stale or automatically identifying when user iv. Terminated accounts are terminated or stale and User Activity then monitor for any activity from these accounts. The vendor's product must be able to alert or report on any activity for identities that are not automatically Unaccountable v. synchronized with the authentication User Activity directories. This will help customers detect rogue user accounts on critical systems.

Bidders Response Sl Specification Description Complied Detailed no (Yes/No) Explanation The vendor's solution must provide the ability to synchronize with authentication directories to collect information User Role/ regarding user roles and responsibilities vi. Activity and correlate this data with all user Monitoring activity. Users that violate their roles within the organization should be recorded for alerting and reporting purposes. The vendor's solution must be able to detect suspicious activity, such as printing large numbers of files outside of business Insider Threat hours, emailing large attachments to vii. Detection personal email accounts, employee communication with competitors or the clearing of system audit logs to cover up malicious activity. The vendor's product must be capable of allowing investigators to restore a year's worth of historical log files to a single appliance and then perform complex Forensic viii. pattern searches and reporting against Investigations terabytes of data in a short period of time. The entire process from restoring the data to reporting results must take less than two days. The vendor's solution must be capable of triggering scripts or execute integration commands with third-party solutions, IPS Real-time ix. such as IPS or Next Generation Intrusion Response Prevention systems in order to quarantine or block nefarious activity in real-time. The vendor's product must provide the ability monitor online banking applications, banking infrastructure devices and user transaction activity. The Fraud x. product must use this data to detect Detection anomalous transactions such as simultaneous user transactions from multiple geo-spatial locations, fraudulent activity and breaches. The vendor's solution must be able to Business Insight map IT Assets to Business Functions, and xi. to Security report on the Business Risk in the form of Intelligence heat maps, reports, and scores against RFP for Gap analysis, remediation plan and rectification of gaps for PCI DSS v3.2 certification and enhancement of security infrastructure by assessing vulnerabilities and implementing SIEM, Directory and Endpoint Support Service, WAF, DLP, Network Behavior Analysis and conducting VAPT service for Dutch-Bangla Bank Limited. Page 51 of 92 DBBL/100/ITSD/Tender/2017/01

Bidders Response Sl Specification Description Complied Detailed no (Yes/No) Explanation Key Performance Index (KPI).

9 Licenses License should be for unlimited devices (network security, PC, end point etc.) i. License from day one and the licenses should be perpetual and should not have any expiration after what so even years.

Parser (tools for developing connector for Licensing for an unsupported device) shall be delivered ii un-supported free of cost and should be unlimited device license without any restrictions.

10 Implementation Implementations have to be done by a partner/ SI who have done similar type of project at least two in the last two years. Implementatio The resource persons who will work in i. n the project, from the vendor/OEM/SI their CV have to be attached with bid document.

Project Project management shall be done by ii Management OEM only. 11 Training Comprehensive training for at least 6-10 persons in Dhaka at any suitable training location has to be arranged. The trainer should be certified in this quoted product and have a experience for similar training for at least a incidents on batches. The training should cover initialization of product installation, configuration, administration and customization. It i. Training should also cover day to day operation of the product. This training should be proper hands on training with a detailed coverage of all the aspect configured for DBBL environment. Training to be provided for following topics (not limited to)  Log & ESM Administration  Connector Development (Parser

Bidders Response Sl Specification Description Complied Detailed no (Yes/No) Explanation Toolkit)  Creating Co-relation rules

12 Deliverables

i. Design of architecture of the solution Architecture should be provided. ii. Detailed configurations of the Configuration implementations have to be provided. iii. Maintenance Day to day operation of maintenance Manual manual should be provided. 13 Warranty Warranty and AMC should include repair/ replace of any faulty parts. The quoted hardware should have enough CPU, Memory and other resources from day 1 i. Warranty to run this application for at least 7 years. The quoted hardware have a warranty of 3 years and AMC should be eligible for another 4 years at least. 14 Hardware Requirements

i. Brand Please Specify

ii. Model Please Specify

iii. Dimensions Please Specify

iv. Processor Please Specify Network v. Please Specify Interface vi. Memory Please Specify Please specify details with RAID capability vii. Storage and capacity needed to stored data for 7 years. Operating viii. Please Specify System ix. Scalability Please Specify

x. Power At least dual redundancy power supply

xi. Virtual Please Specify ( VMware and Hyper-V) Number of xii. Please Specify nodes required

Bidders Response Sl Specification Description Complied Detailed no (Yes/No) Explanation All the hardware’s be it servers, storages at any additional networks have to xiii. Note provided with the solution to work from day one and should be able to keep data for 7 years in the storages. 15 Bill of Materials (BOM)

i. Hardware Please Specify ii. Appliances Please Specify iii. Software Please Specify

1.3 Implementation of Directory Service, Patch Management Service and Collection of information from Windows end points through Microsoft Premier Support Service

Sl Specification Description Bidders Response No Compliance Remarks (Yes/No) 1 Implementation i. System Center Vendor should do the installation, Configuration implementation and configuration of Manager (SCCM) System Center Configuration Manager Implementation (SCCM) 2016 with software inventory, hardware inventory, software metering, patch update and all other features.

Microsoft Premier Onsite Deployment Support at least for 2 weeks or more for SCCM installation and configuration ii. System Center Vendor should do the installation, Operation implementation and configuration of Manager (SCOM) System Center Operation Manager (SCOM) Implementation 2016 with Monitoring windows server environment (Critical Desktop), event log management and all other features.

Microsoft Premier Onsite Deployment Support at least for 2 weeks or more for SCOM installation and configuration. iii. System Center Vendor should migrate the existing System Virtual Machine Center Virtual Machine Manager (SCVMM) Manager to SCVMM 2016 in cluster mode. (SCVMM) Implementation Microsoft Premier Onsite Deployment Support al lest for 2 weeks or more for SCVMM installation and configuration iv. Active Directory Vendor should migrate the existing active Migration directory system from Windows Sever 2008 R2 to Windows Sever 2016 environment.

Microsoft Premier Onsite Deployment Support at least for 2 weeks or more for Active Directory Migration 2 Premier Support Services Support Account Management from an assigned Microsoft resource which should Support Account help to build and maintain relationships i. Management with DBBL management and service delivery staffs and should help DBBL arrange each element of the Premier RFP for Gap analysis, remediation plan and rectification of gaps for PCI DSS v3.2 certification and enhancement of security infrastructure by assessing vulnerabilities and implementing SIEM, Directory and Endpoint Support Service, WAF, DLP, Network Behavior Analysis and conducting VAPT service for Dutch-Bangla Bank Limited. Page 55 of 92 DBBL/100/ITSD/Tender/2017/01

Sl Specification Description Bidders Response No Compliance Remarks (Yes/No) Support to meet DBBL business requirements.

Should Provide Support Account Management services intended to help coordinate the support and services relationship through a dedicated Support Services Resource:

 Support Services Resource should acts as DBBL’s trusted advisor and advocate to facilitate a team that can provide Workshops, Problem Resolution Support, and Support Assistance.  Support Services Resource should also serve as the point of information delivery and provides DBBL’s feedback regarding the Services to other Microsoft groups. Support Assistance should provide short- term advice and guidance for problems not covered with Problem Resolution Service as well as requests for consultative assistance for design, development and deployment issues.

Should provide a dedicated Support Services Resource to work with DBBL to determine DBBL’s specific Support Assistance needs:

Support  Infrastructure Support Assistance ii. Assistance Should provide Infrastructure Support Assistance which includes informal advice, guidance and knowledge transfer intended to help DBBL implement Microsoft technologies in ways that avoid common support issues and decrease the likelihood of system outages.

 Reviews: a. Should provide a review which is an assessment of a specific system, RFP for Gap analysis, remediation plan and rectification of gaps for PCI DSS v3.2 certification and enhancement of security infrastructure by assessing vulnerabilities and implementing SIEM, Directory and Endpoint Support Service, WAF, DLP, Network Behavior Analysis and conducting VAPT service for Dutch-Bangla Bank Limited. Page 56 of 92 DBBL/100/ITSD/Tender/2017/01

Sl Specification Description Bidders Response No Compliance Remarks (Yes/No) application or architecture to address design, development, deployment, and supportability issues for current or planned implementations of Microsoft technologies. b. Should scope and estimate each review individually prior to scheduling resources c. Should produce a written report to document findings and recommendations.

 Development Support Assistance: Should provide Development Support Assistance which specializes in Microsoft development tools and technologies to help DBBL in the creation and development of internal applications on the Microsoft platform that integrate Microsoft technologies. Workshops should be arranged to help DBBL to prevent problems, increase system availability and assist with creating products and solutions based on Microsoft technologies.  WorkshopPLUS - System Center Configuration Manager: Concepts and Administration Introduction  WorkshopPLUS - System Center Operations Manager: Configuration, Administration and Installation iii. Workshops  WorkshopPLUS - System Center Virtual Machine Manager: Implementation and Management  WorkshopPLUS - Windows Server: Active Directory Domain Services

Workshops and Events should provide DBBL a proactive technical information to assist in the design, development or deployment of Microsoft technologies. Should include instruction to help reduce the number and minimize the impact of RFP for Gap analysis, remediation plan and rectification of gaps for PCI DSS v3.2 certification and enhancement of security infrastructure by assessing vulnerabilities and implementing SIEM, Directory and Endpoint Support Service, WAF, DLP, Network Behavior Analysis and conducting VAPT service for Dutch-Bangla Bank Limited. Page 57 of 92 DBBL/100/ITSD/Tender/2017/01

Sl Specification Description Bidders Response No Compliance Remarks (Yes/No) problems related to Microsoft Products that DBBL experience. Workshops should include the following:  Should conduct Microsoft Premier Field Engineer (PFE) instructor-led training sessions that emphasize Microsoft technologies at either DBBL’s facility or on location at Microsoft. Support Services Resource should provide the following services  Planning and Resource Facilitation:

a. Should conduct an orientation and planning session onsite to discuss the Support Services available.

b. Should conduct Quarterly Service Delivery Planning session onsite to gather input regarding DBBL’s support needs, and jointly plan the use of the services.

 Status Meetings and Reporting: a. Should prepare a standard Services of status report on a monthly basis to iv. Support Service summarize the Support Services Resources delivered. b. Should conduct Monthly Status Meetings to discuss Service activities, monitor DBBL’s satisfaction levels, and discuss actions or adjustments that may be required up to the end of the project. c. Should Provide Customized Reporting at DBBL’s request and any additional related labor.

 Escalation Management a. Should designate a Service Support Resource to effectively manage issues that requires escalation to other resources within Microsoft to expedite RFP for Gap analysis, remediation plan and rectification of gaps for PCI DSS v3.2 certification and enhancement of security infrastructure by assessing vulnerabilities and implementing SIEM, Directory and Endpoint Support Service, WAF, DLP, Network Behavior Analysis and conducting VAPT service for Dutch-Bangla Bank Limited. Page 58 of 92 DBBL/100/ITSD/Tender/2017/01

Sl Specification Description Bidders Response No Compliance Remarks (Yes/No) resolution.  Should provide Problem Resolution Support provides assistance for problems with specific symptoms encountered while using Microsoft products, where there is a reasonable expectation that the problems are caused by Microsoft products.

 Should provide Problem Resolution Support that is available 24 hours a day, 7 days a week.

 Should provide the capability to request for support via telephone or electronically through the Support Online website by DBBL’s designated support personnel, except for Severity 1 and A which must be submitted via telephone.

Problem  Problem Resolution Support can v. Resolution include any combination of the Support following:

a. Problem Request (Break-Fix) An assisted break-fix support request, also known as an incident, is defined as a single support issue and the reasonable effort needed to resolve it. A single support issue is a problem that cannot be broken down into subordinate issues. If a problem consists of subordinate issues, each shall be considered a separate incident. Incidents requiring an onsite visit will be charged on an hourly basis and will include charges for reasonable travel and living expenses. b. In certain situations, DBBL may need modification to the commercially available Microsoft product software code to address specific critical problems RFP for Gap analysis, remediation plan and rectification of gaps for PCI DSS v3.2 certification and enhancement of security infrastructure by assessing vulnerabilities and implementing SIEM, Directory and Endpoint Support Service, WAF, DLP, Network Behavior Analysis and conducting VAPT service for Dutch-Bangla Bank Limited. Page 59 of 92 DBBL/100/ITSD/Tender/2017/01

Sl Specification Description Bidders Response No Compliance Remarks (Yes/No) (“Hotfix(es)”) in response to an assisted break-fix support request. c. To provide Hotfixes that are designed to address DBBL’s specific problems and are not regression tested.

 Severity Level Should provide DBBL with the ability to set the initial severity level in consultation with Support Services Resource and DBBL can request a change in severity level at any time.

 Software Assurance Benefits Should provide DBBL with the flexibility to convert DBBL’s Software Assurance 24x7 Problem Resolution Support Incidents (SA PRS Incidents) to Premier Problem Resolution Support (PPRS) hours or incidents for use consistent with DBBL’s Service Delivery Plan at the time of transfer Should provide Information Services that provide DBBL with technical information about Microsoft products and support tools to help DBBL to implement and operate Microsoft products in a more efficient and effective manner.

Information Services should include any combination of the following:

Information  Premier online website vi. Services The Premier online website should provide access to the following information resources at no additional charge: a. Regularly updated product news flashes documenting key support and operational information about Microsoft products. b. Critical problem alerts notifying DBBL of potentially high-impact RFP for Gap analysis, remediation plan and rectification of gaps for PCI DSS v3.2 certification and enhancement of security infrastructure by assessing vulnerabilities and implementing SIEM, Directory and Endpoint Support Service, WAF, DLP, Network Behavior Analysis and conducting VAPT service for Dutch-Bangla Bank Limited. Page 60 of 92 DBBL/100/ITSD/Tender/2017/01

Sl Specification Description Bidders Response No Compliance Remarks (Yes/No) problems. c. Web response tool for submitting and checking the status of support incidents. d. Microsoft Knowledge Base of technical articles and troubleshooting tools and guides.

 Support Webcasts Support webcasts should regularly schedule webcast discussions led by program managers, developers and professionals covering key areas of Microsoft technology. These should be provided at no additional charge and require high speed internet access to participate. The Support Service should be for at least three years.

Duration of Microsoft premier Advisory Hours: 5 hours/ vii. Support year. Total 15 Hours Microsoft premier Problem resolution hours: 20 hours / year. Total 60 Hours

1.4 Data Loss/Leakage Protection (DLP):

Bidders Response Sl Specification Description Complied Detailed no (Yes/No) Explanation 1. Network Data monitoring and Prevention The ability to monitor Web traffic, such as Web Data webmail, Web postings and other protocols I. Monitoring using HTTP and HTTPS including uploaded files. The solution should have the ability to monitor Traffic both active and passive FTP traffic including II. Monitoring fully correlating transferred file data with control information. The solution should have ability to monitor Network traffic network traffic on arbitrary ports or port III. on different ranges to deal with unclassified or rogue ports threats. Third-party The ability to operate without depending on a IV. proxy third-party proxy to enforce Web traffic independency including SSL traffic. Unprocessed The solution should have notification system V. traffic of unprocessed traffic due to network bursts notification (e.g., dropped packets or sampling). 2. Endpoint Data Monitoring and Prevention The solution should be able to monitor end Basic operation users basic operations like cut/ copy, paste, monitoring i. print screen, file access, print to local printer, from end-user print to network printer, removable storage

device, shared locations etc. End-user The solution should provide detailed activity activity ii. logging and audit reporting of all files monitoring containing sensitive data. report The solution should be able to encrypt iii. Data encryption information copied to removable media if needed. The solution should be able to allow/ protect/ Data access by block/ deny the transfer of confidential and iv. policy sensitive data from end user as per organization’s defined policy. The solution should prompt the user to v. Display prompt provide justification before allowing the transfer of sensitive data. The solution should have printer agents for Data access by vi. print servers to detect data leaks over print printer channel.

Bidders Response Sl Specification Description Complied Detailed no (Yes/No) Explanation The solution should support integration of Platform vii. different types of operating systems like support Windows, MacOS, Linux, HP-UX, AIX etc. 3. Email security The solution should have ability to block Block outbound i. outbound emails that are in violation of emails company policy on confidential data. The solution should have ability to monitor ii. Monitor emails and enforce for internal email traffic, including attachments. The solution should have ability to quarantine Quarantine emails that are in violation of company policy iii. emails on confidential data and should be informed to administrators. Quarantine The solution should have ability to release iv. email email from quarantine by end-users, their management managers, or other designated users. The solution should have ability to ensure Failure message v. message delivery even in the event of a failure delivery of your system. 4. Data Identification and Policy management The solution should have advanced machine Advanced learning ability to automatically learn sensitive capability for i. information from copies of information that data needs to be protected and also automatically identification learn false positives. The solution should be able to enforce policies ii. OCR technology to detect data leaks even on image files through OCR technology. The solution should be able to identify data Identify leaked in the form of known and unknown iii. encrypted data encrypted format like password protected word and excel document. The solution should be able to identify Identify malicious traffic pattern generated by iv. infected data malware infected computer in order to prevent future data leakage by the malware. The solution should have the ability to define policies based on any combination of the Data following: content, sender/recipient, file v. Identification characteristics, communications protocol, and based on policy destination category, depending on an organization’s specific needs for greater visibility and control. Also it should have the

Bidders Response Sl Specification Description Complied Detailed no (Yes/No) Explanation ability to articulate context, like when a name is found near a valid credit card number, for greater accuracy. The solution should have built-in policies for multiple industries and geographies that users vi. Compliance can access, use, and apply simultaneously (like PCI-DSS and ISO27001 policies) to facilitate compliance. The solution should have policy to scan data Inspection of wherever it is stored, transmitted, or used, vii. data both on the network and on the endpoint, ensuring consistent coverage. Centralized The solution should have a centralized interface for interface for policy editing and policy viii. policy management across all components which management simplifies and streamlines administration. The solution should have configurable scoring of incident severity based on content ix. Incident scoring identifiers, such as file type, file size, and keywords for flexible incident management capability adaptable to individual needs. The solution should have inclusion and Rules exclusion detection rules based on corporate x. management directory data to enforce policy based on the senders and recipient/destination. The solution should have predefined detection Predefine policies to cover regulations and detection xi. detection policy best practices, including predefined lexicons for commonly required regulations. Inspect The ability to extract and inspect the text xii. incoming & content of files and attachments for better outgoing data visibility into your data. The ability to recursively inspects the contents Recursive xiii. of compressed archives and detect against inspects data this. Predefined The solution should have predefined content xiv. content classifiers that users can combine to make new classifier policies. 5. Automated Response & Incident Management The solution should have ability to view Tracking lost i. confidential data loss events via the Web in a data format. The solution should have a clear indication in ii. Incident flow the incident report of how the transmission or file violated policy (not just which policy was RFP for Gap analysis, remediation plan and rectification of gaps for PCI DSS v3.2 certification and enhancement of security infrastructure by assessing vulnerabilities and implementing SIEM, Directory and Endpoint Support Service, WAF, DLP, Network Behavior Analysis and conducting VAPT service for Dutch-Bangla Bank Limited. Page 64 of 92 DBBL/100/ITSD/Tender/2017/01

Bidders Response Sl Specification Description Complied Detailed no (Yes/No) Explanation violated), including clear identification of which content motivated the match for greater accuracy in reporting and to improve processes that could prevent similar violations from occurring. The solution should have ability to view Sender & identity information on the sender (full name, iii. Receiver manager name, business unit) and destination identity of the transmission to facilitate remediation. The solution should have ability to assign each Handling the user in the workflow for the remediation of a iv. incident certain set of incidents so that the appropriate person is handling the incident. The solution should have automated notifications to designated incident v. Notifications manager(s) when they have new incidents to review. The solution should have ability to add Customized vi. customized attributes to incidents to correlate attributes with a unique remediation business process. The solution should be able to easily export a group of incidents from the system in a format vii. Report format that is readable by a person without system access (e.g., a PDF). 6. Role Based Access and Privacy Control The solution should have ability to create separate roles for technical administration of Role servers, user administration, policy creation i. management and editing, incident remediation, and incident viewing for data at rest, in motion, or at the endpoint. The solution should have control of incident Incident access based on business units or groups to management ii. ensure only the authorized administrator for by the specific business unit or group is managing administrator the incident. The solution should have ability to define a Role iii. role to restrict viewing rights to identity-based administration information. 7. Reporting & Analytics The solution should have a dashboard view designed for use by executives that can

i. combine information from data in motion GUI (network), data at rest (storage), and data at the endpoint (endpoint) in a single view.

Bidders Response Sl Specification Description Complied Detailed no (Yes/No) Explanation The solution must provide pre-packaged Report ii. reporting capabilities out-of-the-box without Configuration user intervention/further configuration. The solution should integrate with syslog to Integrate with iii. work with any SIEM solution and support SIEM known log formats. The solution must support generation of reports with both tabular views and data Customize analysis graphical views. Also the report iv. report should be formatted depending on various generation requirements like executive summary, detailed analysis report etc. The solution should allow reports to be mailed Automatically directly from the UI and should allow v. mail report automatic schedule of reports to identified recipients. The solution should have reports that could be vi. Report types exported to different industry standard formats like CSV, PDF, HTML formats etc. The solution should support scheduling of Scheduler vii. report generation to start only at a future Report date. 8. Licenses License should be for unlimited devices (network security, PC, end point etc.) from day i. License one and the licenses should be perpetual and should not have any expiration after what so even years. 9. Implementation Implementations have to be done by a partner/ SI who have done similar type of project at least two in the last two years. The i. Implementation resource persons who will work in the project, from the vendor/OEM/SI there CV have to be attached with bid document. 10. Training Comprehensive training for at least 6-10 persons in Dhaka at any suitable training location has to be arranged. The trainer should be certified in this quoted product and have a i. Training experience for similar training for at least a incidents on batches. The training should cover initialization of product installation, configuration, administration and

Bidders Response Sl Specification Description Complied Detailed no (Yes/No) Explanation customization. It should also cover day to day operation of the product. This training should be proper hands on training with a detailed coverage of all the aspect configured for DBBL environment. 11 Deliverable Design of architecture of the solution should i. Architecture be provided. Detailed configurations of the ii. Configuration implementations have to be provided. Maintenance Day to day operation of maintenance manual iii. Manual should be provided. 12 Warranty Warranty and AMC should include repair/ replace of any faulty parts. The quoted hardware should have enough CPU, Memory i. Warranty and other resources from day 1 to run this application for at least 7 years. The quoted hardware has a warranty of 3 years and AMC should be eligible for another 4 years at least. 13. Hardware Requirements

i. Brand Please Specify

ii. Model Please Specify

iii. Dimensions Please Specify

iv. Processor Please Specify Network v. Please Specify Interface

vi. Memory Please Specify

vii. Storage Please Specify viii. System OS Please Specify

ix. Scalability Please Specify All the hardware’s be it servers, storages at any additional networks have to be provided with the solution to work from day one and x. Note should be able to keep data for 7 years in the storages.

Bidders Response Sl Specification Description Complied Detailed no (Yes/No) Explanation 14. Bill of Materials (BOM)

i. Hardware Please Specify

ii. Appliances Please Specify

iii. Software Please Specify

1.5 Web Application Firewall (WAF):

Sl Specification Description Bidders Response No Complianc Remarks e (Yes/No) 1 Solution Architecture The solution must be hardware appliance-based solution only or a license upgrade to the existing i. Appliance network/security devices deployed in DBBL premises. All solution components should remain within the premise  There should be 8 numbers of devices in 2 sites.  There should be 2 sets of devices for WAN side: Number of a) DC-1: 2 WAF Devices ii. Devices b) DC-2: 2 WAF Devices  There should be 2 sets of devices for DMZ/Internet side: a) DC-1: 2 WAF Devices b) DC-2: 2 WAF Devices Should have WAN/LAN/MGMT Ports. It should a) NIC Ports iii. also contain minimum 4X 1G and 4 X 10G ports WAN side (SFP + Fiber port). b) NIC Ports Should have WAN/LAN/MGMT Ports. It should DMZ/Internet also contain minimum 4X 1G (Copper). side a) Throughput For WAN, the WAF should have a throughput of 2 iv. WAN Side Gbps scalable to 8 Gbps. For DMZ/internet zone, the WAF should have b) Throughput hardware based compression throughput of 250 DMZ/Internet Mbps scalable to 1 Gbps and for Core the WAF Side should have hardware based compression throughput of 1 Gbps scalable to 4 Gbps The solution should support application level load Load balancing including the ability to act as HTTP 2.0 v. Balancing Proxy. The solution should have dedicated console port. vi. Console port The solution should support Reverse proxy mode Proxy support vii. and should be a full proxy. The solution should support HA Architecture Redundancy viii. through redundancy. The solution should have hardware fail open or high availability support. So in the DC-1 there High should be two devices for WAN side and another availability ix. two devices for DMZ/internet side. In the DC-2 Support there should be two devices for WAN side and another two devices for DMZ/internet side So in RFP for Gap analysis, remediation plan and rectification of gaps for PCI DSS v3.2 certification and enhancement of security infrastructure by assessing vulnerabilities and implementing SIEM, Directory and Endpoint Support Service, WAF, DLP, Network Behavior Analysis and conducting VAPT service for Dutch-Bangla Bank Limited. Page 69 of 92 DBBL/100/ITSD/Tender/2017/01

Sl Specification Description Bidders Response No Complianc Remarks e (Yes/No) total eight devices in two locations. Flexibility There must be minimal impact on the existing during web applications and the network architecture x. installation when deploying or removing the solution from and removal network. 2 Solution Requirements The solution must be able to protect both HTTP Application Web Applications and SSL (HTTPS) web i. Support applications. It should have support for ECC keys along with RSA keys. Application The solution must address and mitigate the ii. security OWASP Top Ten web application security vulnerabilities vulnerabilities but not limited to this. The solution should allow enforcing the following protocol related restrictions on the requests and these should be specifiable on an individual URL basis: a. HTTP method length b. Request line length Custom c. URI length iii. security policy d. Query string length enforcing e. Protocol length f. Header name, value, and number g. Request body length h. Cookie name, value and number. i. Parameter name, value and number Max length (per file) and number for uploaded files (via POST). Security The solution must support both the positive and iv. model negative security model approach. approach The solution must be able to support inline v. Monitoring monitoring and active enforcement mode. Protection The solution should support Network, DNS, and from Application layer Dos and DDOS attacks vi. vulnerable protection including nxdomain, stress based DOS attacks and Heavy URL attacks. Protection The solution should support protection against vii. from web common attacks such as SQL Injection, Cross-site based attacks Scripting, Cookie or Form Tempering etc. Webshell The solution should have the capability of viii. Attack Webshell/Backdoor Detection. Detection Malware The solution should have the capability of Web- ix. Attack based Malware using ICAP and Botnet attack Detection detection. RFP for Gap analysis, remediation plan and rectification of gaps for PCI DSS v3.2 certification and enhancement of security infrastructure by assessing vulnerabilities and implementing SIEM, Directory and Endpoint Support Service, WAF, DLP, Network Behavior Analysis and conducting VAPT service for Dutch-Bangla Bank Limited. Page 70 of 92 DBBL/100/ITSD/Tender/2017/01

Sl Specification Description Bidders Response No Complianc Remarks e (Yes/No) The solution should have protection against Upload viral/infected file uploads through ICAP x. protection integration with 3rd party antivirus solution. For DBBL it is Kaspersky End Point Security Version 10 Protection The solution should have protection against against Cross- Cross-site Request Forgery. xi. site Request Forgery Protection The solution should have protection against web xii. against web site cloaking. site cloaking. Policy The solution should support different policies for Management different web application. xiii. for different web applications Outbound The solution should have protection against xiv. data security outbound data theft. Anonymous The solution should be able to detect and block xv. request request coming from anonymous proxies. blocking The solution must provide signature protection against known vulnerabilities in commercial Signature infrastructure software such as Apache, IIS and so xvi. protection on. It should also support automatic signature updates. Adaptive The solution should support adaptive security xvii. security custom rule chains. The solution should be able to allow or deny Traffic control xviii. traffic based on IP address. Dynamic The solution should support dynamic source IP xix. protection blocking based on the attack scores. Geological The solution should provide GeoIP detection of xx. threat clients and blocking based on Geographical protection region of the clients. The solution should allow the administrator to URL access restrict access to various HTTP and WEBDAV xxi. control methods, including HEAD, CONNECT, TRACE, etc. on a per URL basis. The solution should be able to “cloak” error Cloaking error responses to hide sensitive server related xxii. situations information in the response body and response headers. Validate web The solution should be able to perform validation xxiii. environment on all types of input including URLs, forms, actions cookies, query strings, hidden fields and RFP for Gap analysis, remediation plan and rectification of gaps for PCI DSS v3.2 certification and enhancement of security infrastructure by assessing vulnerabilities and implementing SIEM, Directory and Endpoint Support Service, WAF, DLP, Network Behavior Analysis and conducting VAPT service for Dutch-Bangla Bank Limited. Page 71 of 92 DBBL/100/ITSD/Tender/2017/01

Sl Specification Description Bidders Response No Complianc Remarks e (Yes/No) parameters, HTTP methods, XML elements and SOAP actions. The solution profiling technology should be able to detect and protect against threats which are specific to the custom code of the web Detection and protection application. After the learning phase, the solution must be able to understand the structure of each xxiv. technology against protected URL and must be able to detect threats. deviations and various anomalies (or violations) and block attacks on the custom code of the application.

The solution should allow the re-learning of an Adaptability with change of application profile on a per-URL or per-page basis. The administrator should not be required xxv. approved change of web to relearn the entire application when only a few application pages have changed. The solution should be able to perform profiling of JSON. HTTP requests in the JSON format must be learnt by the WAF with the parameters and values. The solution should be able to protect web applications that include Web services (XML) content. The XML protection offered by the solution

should be similar to the web application

protection provided with automated

profiling/learning capability.

The solution must be able to decrypt SSL web Validation of traffic for inspection without terminating or different web changing the HTTPS connection. xxvi. services and The solution should provide a mode whereby it ensure can rewrite HTTP applications to HTTPS on-the- security fly, e.g. by modifying all outbound content, and

redirect incoming HTTP requests to the HTTPS.

The solution should protect session tokens, i.e.

cookies: a. Sign cookies, to prevent clients from changing them b. Encrypt cookies, to hide contents. c. Prevent Cookie Replay attacks d. Allow for exempting certain cookies from security checks The solution should provide passive challenge-

Sl Specification Description Bidders Response No Complianc Remarks e (Yes/No) response mechanisms to distinguish malicious bots from human browsers, e.g. transparent client fingerprinting via script injection. The solution should support protection of XML Web Services with common web application as well as XML specific attacks. It should be possible to force conformance with full WS-I Basic specification. The solution should provide for validating XML Documents and protecting against XML, DOS and injection attacks (SQL, OS, XSS injection, etc.). The solution should provide for validating SOAP messages, headers and body against a WSDL schema. For Internet zone , the WAF should have SSL TPS of at least 12,000 with 2K keys where one SSL TPS = Only one HTTP transaction over each new SSL handshakes per second, without session reuse and using a 2048 bit key SSL Certificate and for Core zone , the WAF should have SSL TPS of at least 20,000 with 2k keys where one SSL TPS = Only one HTTP transaction over each new SSL handshakes per second, without session reuse and using a 2048 bit key SSL Certificate 3 Alert and Reporting Capabilities The solution must have an integrated dashboard i. Dashboard containing various features of alert and report generation. The solution must provide automated, real-time Alert ii. event alert mechanism. Sensitive data The solution must support masking of sensitive iii. masking data in alerts. Integration The solution should integrate with syslog to work iv. with security with any SIEM solution and support known log devices formats. The solution must provide pre-packaged Report reporting capabilities out-of-the-box without user v. generation intervention/further configuration. The solution must have the functionality within Flexible the UI out-of-the-box that enables the custom report vi. administrator to create customized report on generation demand. The solution must support generation of reports Report views with both tabular views and data analysis and analysis vii. graphical views. Also the report should be tools formatted depending on various requirements RFP for Gap analysis, remediation plan and rectification of gaps for PCI DSS v3.2 certification and enhancement of security infrastructure by assessing vulnerabilities and implementing SIEM, Directory and Endpoint Support Service, WAF, DLP, Network Behavior Analysis and conducting VAPT service for Dutch-Bangla Bank Limited. Page 73 of 92 DBBL/100/ITSD/Tender/2017/01

Sl Specification Description Bidders Response No Complianc Remarks e (Yes/No) like executive summary, detailed analysis report etc. Schedule The solution must support automatic reports’ viii. report generation based on a defined schedule. generation The reports must be distributed via email on Report demand and automatically (on schedule) with ix. Delivery PDF and CSV formats. 4 Management Capabilities

The solution must support the following authentication mechanism for accessing the solution management UI:

a. In-built authentication in the solution b. Kerberos authentication i. Access Control c. LDAPS authentication and authorization with the following Windows platforms: 2003, 2003 R2, 2008, 2008 R2, 2012, and 2012 R2, 2016, Linux (Redhat, Centos), AIX, Solaris, HP-UX. d. RADIUS authentication The solution should provide for two factor authentication mechanisms: a. Client SSL certificates + password Authenticatio b. Integration with token based ii. n approaches RSA SecurID. c. Integration with SMS Passcode for 2- factor authentication over mobile phone SMS network. The solution should support password policy Password check for administrators who manage the iii. policy solution. It should be possible to specify different authorization policies for different parts of the Authorization web sites, post authentication. For example, policy iv. users from LDAP group A have access to management /employee/* whereas only users from group B have access to /partners/*. 5 Management Server i. Each location should have at least 2 management servers ii. Any of the two management servers, 1 must be a physical server The redundant or second management server for the same site

iii. could be an identical physical server or a virtual machine

Sl Specification Description Bidders Response No Complianc Remarks e (Yes/No) In case of 2nd server to be a virtual machine, the server should run

iv. in the VMWare ESXi or Microsoft Hypervisor Environment Both the management server in a site should be in-sync. So that if v. one server is not responding, the other server should have the capability to manage the WAF appliances of that site. Specification of the management server a. Processor (Please Specify) b. Memory (Please Specify) c. Hard Disk (Please Specify)

vi. d. Network Card (Please Specify) e. Redundant Power Supply (Please Specify) f. Operating System (Please Specify) g. Miscellaneous (Please Specify) 6 Licenses License should be for unlimited devices (network security, PC, end point etc.) from day one and the License i. licenses should be perpetual and should not have any expiration after what so even years. 7 Implementation Implementations have to be done by a partner/ SI who have done similar type of project at least Implementatio two in the last two years. The resource persons i. n who will work in the project, from the vendor/OEM/SI there CV have to be attached with bid document. 8 Training Comprehensive training for at least 6-10 persons in Dhaka at any suitable training location has to be arranged. The trainer should be certified in this quoted product and have a experience for similar training for at least a incidents on batches. The training should cover initialization of product Training i. installation, configuration, administration and customization. It should also cover day to day operation of the product. This training should be proper hands on training with a detailed coverage of all the aspect configured for DBBL environment. 9 Deliverable Design of architecture of the solution should be i. Architecture provided. Detailed configurations of the implementations Configuration ii. have to be provided. Day to day operation of maintenance manual Maintenance should be provided. iii. Manual

Sl Specification Description Bidders Response No Complianc Remarks e (Yes/No) 10 Warranty Warranty and AMC should include repair/ replace of any faulty parts. The quoted hardware should have enough CPU, Memory and other resources i. Warranty from day 1 to run this application for at least 7 years. The quoted hardware have a warranty of 3 years and AMC should be eligible for another 4 years at least. 11 Hardware Requirements

i. Memory Please Specify

ii. Storage Please Specify

iii. Chipset Please Specify

iv. Ethernet Please Specify

v. Dimension Please Specify Network vi. Interface Please Specify

vii. Power Supply Please Specify viii. Redundancy Please Specify

ix. Scalability Please Specify 12 Bill of Materials (BOM) i. Hardware Please Specify ii. Appliances Please Specify iii. Software Please Specify 13 OEM qualification criteria The WAF must be in the Leader’s quadrant or Gartner Challenger’s quadrant of the Web Application i. Report for Firewalls in Gartner Magic Quadrant for the past WAF 3 consecutive year’s i.e 2014, 2015 or 2016. ii. ICSA Certified The WAF should be ICSA certified. ISO 9001 and The OEM should have ISO 9001 and ISO 14001 iii. 14001 certification. Certification

1.6 Network Behavior Analysis (NBA):

Bidders Response Sl no. Description Complaint Remarks (Y/N) 1. General Requirements

i. The solution should automatically discover new devices that generate flow information and use this information for analysis. ii. Should capture signature / heuristics based alerts iii. Should Identify the source of an attack and should not block legitimate users iv. Should identify worms through techniques such as identifying the use of normally inactive ports or identification of network scanning activities v. Should identify seasonal/ periodic variations in traffic and not consider the same as abnormal flow vi. The solution must detect denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks including floods of all types (ICMP, UDP, TCP SYN, TCP NULL, IP NULL etc.), identify the presence of botnets in the network, identify DNS spoofing attack etc. vii. Should be able to conduct protocol analysis to detect tunneled protocols, backdoors, the use of forbidden application protocols etc. viii. Should utilize Anomaly detection methods to identify attacks such as zero-day exploits, self-modifying malware, attacks in the ciphered traffic or resource misuse or mis- configuration. ix. Should be able to instruct network security devices such as firewalls to block certain types of traffic x. The solution should have the capability to drop malicious traffic and (or) block infected hosts xi. The system should be able to monitor flow data between various VLANS xii. The solution must identify network traffic from high risk applications such as file sharing, peer-to-peer, etc. xiii. Should be able to link usernames to IP addresses for suspected security events. xiv. The solution should extract user defined fields (including source and destination IPs, source and destination MAC address, TCP/UDP ports or ICMP types and codes, no. of packets and no. of bytes transmitted in a session, timestamps for start and end of session etc.) from captured packet data and then utilize fields in correlation rules. xv. Application profiling in the system should also support custom applications present or acquired by the bank RFP for Gap analysis, remediation plan and rectification of gaps for PCI DSS v3.2 certification and enhancement of security infrastructure by assessing vulnerabilities and implementing SIEM, Directory and Endpoint Support Service, WAF, DLP, Network Behavior Analysis and conducting VAPT service for Dutch-Bangla Bank Limited. Page 77 of 92 DBBL/100/ITSD/Tender/2017/01

Bidders Response Sl no. Description Complaint Remarks (Y/N) xvi. Solution should be compatible with a virtual environment. xvii. The solution should be able to identify potential DDOS attacks xviii. The NBA solution should identify anomalies related to VOIP protocols over data network xix. The reporting should be integrated with other network security systems (IPS, IDS, NAC, and Firewall etc.). xx. The solution should retain records of each unique conversation pair through the network for 180 days or more. xxi. The dashboard should show top applications, services, protocols, hosts, peers, conversations, files, ports etc. xxii. Dashboard should have the facility to be configured according to user profile xxiii. The solution should not export data to a cloud environment for validation or other purposes xxiv. System should send email for high risk issues xxv. The NBA solution should utilize standard methodologies/ models to reduce false positives, the bidder is required to mention which methodologies are being utilized to reduce error rates xxvi. The solution must allow analysis by grouping of network segments such as User VLAN, Management VLAN, Server Farms etc. xxvii. Solution should be able to track user’s activities locally and remote network sites and should be able to report usage behavior across the entire network. xxviii. Solution should support ubiquitous access to view all reporting functions using an internet browser. xxix. The solution should support the identification of applications tunneling on other ports xxx. Solution should be able to collect security and network information of servers and clients without the usage of agents xxxi. The solution should be able to conduct de-duplication of redundant flow identified in the network to improve performance xxxii. The solution should support various forms of flows including but not limited to cisco net flow, juniper jflow, ipfix for udp etc. xxxiii. The solution should provide application bandwidth utilization graph for various applications which should include bandwidth consumption for top hosts and trends on network bandwidth utilization.

Bidders Response Sl no. Description Complaint Remarks (Y/N) xxxiv. Solution should probe the network in a manner so that impact on network performance is minimal. xxxv. The NBA sensors should support both out-of-band mode. xxxvi. Should be able to identify SSL certificate information for encrypted HTTPs traffic xxxvii. The tool should have a system for interactive event identification and rule creation xxxviii. Devices / applications those do not support flows, the solution should be able to generate its own flows for monitoring. xxxix. Solution should have facility to assign risk and credibility rating to events. xl. Solution should support traffic rate up to 10 Gbps or higher. xli. The flow collectors should have the ability to scale from 1000 flows per second to 30000 flows per second and unlimited Flow license from Day one. xlii. The entire deployment of NBA solution should have the ability to support multiple collectors and the central controller should have the capability to scale up to 30000 flows per second xliii. The solution should support built-in fire walling support, rejecting all packets by default (transparent to pings and port scans) xliv. The solution should have single centralized dashboard to display traffic and threats which can be monitored from multiple locations. xlv. The tool should be able to perform Network Traffic Pattern Analysis based on IP addresses, groups of IP addresses, source/destination IP pairs as also Bandwidth Analysis etc. xlvi. The tool should be able to perform Real time monitoring of host behaviors and traffic analysis to identify threats. xlvii. The tool should detect common events like Scanning, Worms, Unexpected application services (e.g., tunneled protocols, backdoors, use of forbidden application Protocols), Policy violations, etc. xlviii. The tool should detect long-lived connections that may be associated with data-exfiltration. xlix. The tool should detect applications running on non- standard port numbers. l. The events generated by the system should be classified at various risk level like High, Medium, Low etc. li. The solution should support traffic profiling associated with logical network design (e.g., Subnet/CIDR).

Bidders Response Sl no. Description Complaint Remarks (Y/N) lii. The solution should provide a full-featured Network threat analyzer capability to detect threats emerging from inside the network (i.e., ones that have not passed through a perimeter IPS). This includes the ability to establish “normal” traffic baselines through flow analysis techniques and the ability to detect deviations from normal baselines. liii. The solution must be capable of identifying suspicious or hitherto undiscovered communication patterns. The solution must support detection of newly discovered pattern in future liv. The solution shall provide application bandwidth utilization graph. lv. The solution should display traffic profiles in terms of packet rate. lvi. The solution should display the type of data being transported via HTTP/HTTPS into and out of the network (i.e. text, image, video etc.) lvii. The solution should identify applications using ports other than the well-known, and applications tunneling themselves on other ports (e.g., HTTP as transport for MS- Instant Messenger should be detected as Instant messenger - not HTTP). lviii. The solution should have the ability to state fully reassemble uni-directional flows into bi-directional conversations; handling de-duplication of data and asymmetry lix. The solution should support detection methods/fingerprints for Web crawler identification, location based threats, GEO IP based threats, Email based threats & targeted attacks. lx. The solution should Integrates with Microsoft Active Directory, RADIUS, and DHCP to provide User Identity information in addition to IP address information throughout the system & allow groups based on Identity or Active Directory workgroup & Provides full historical mapping of User Name to IP address logins in a searchable format lxi. The solution should support detection methods/fingerprints for Phishing, Botnets, Malware, Spyware, Connections to bad reputation Nations and Dark IP lxii. The Virtual appliance based Solution should be provided with hardened Operating System. Not depend on any 3rd party operating system.

Bidders Response Sl no. Description Complaint Remarks (Y/N) 2. Licenses

License should be for unlimited devices (network security,

PC, end point etc.) from day one and the licenses should i. be perpetual and should not have any expiration after

what so even years.

3. Implementation Implementations have to be done by a partner/ SI who have done similar type of project at least two in the last i. two years. The resource persons who will work in the project, from the vendor/OEM/SI there CV have to be attached with bid document. 4. Existing Security Device Configuration i. Existing Firewall configuration, re-configuration according

to the best practices of the banking environment ii. Existing NGFW configuration, re-configuration according

to the best practices of the banking environment iii. Existing ISE configuration, re-configuration according to

the best practices of the banking environment Existing Web Security Gateway configuration, re- iv. configuration according to the best practices of the banking environment Existing Email Security Gateway configuration, re- v. configuration according to the best practices of the banking environment 5. Training Comprehensive training for at least 10-12 persons in Dhaka at any suitable training location has to be arranged. The trainer should be certified in this quoted product and have an experience for similar training for at least an incidents on batches. The training should cover initialization of product installation, configuration, administration and customization. It should also cover day to day operation of the product. This training should be i. proper hands on training with a detailed coverage of all the aspect configured for DBBL environment. Comprehensive training (At least 5 days hands on class room training) for the below mentioned products: a. Network Behavior Analysis (NBA) b. Cisco Next Generation Firewall c. Cisco ISE d. Cisco Web Security Appliance and e. Cisco Email Security Appliance RFP for Gap analysis, remediation plan and rectification of gaps for PCI DSS v3.2 certification and enhancement of security infrastructure by assessing vulnerabilities and implementing SIEM, Directory and Endpoint Support Service, WAF, DLP, Network Behavior Analysis and conducting VAPT service for Dutch-Bangla Bank Limited. Page 81 of 92 DBBL/100/ITSD/Tender/2017/01

Bidders Response Sl no. Description Complaint Remarks (Y/N) 6. Deliverable i. Design of architecture of the solution should be provided.

Detailed configurations of the implementations have to ii. be provided. Day to day operation of maintenance manual should be iii. provided.

7. Warranty Warranty and AMC should include repair/ replace of any faulty parts. The quoted hardware should have enough CPU, Memory and other resources from day 1 to run this i. application for at least 7 years. The quoted hardware have a warranty of 3 years and AMC should be eligible for another 4 years at least.

8. Hardware Requirements

i. Brand: Please Specify

ii. Model: Please Specify iii. Dimensions: Please Specify

iv. Processor: Please Specify

v. Network Interface: Please Specify

vi. Memory: Please Specify

Storage: Please specify details with RAID capability and vii. capacity needed to stored data for 7 years.

viii. Operating System: Please Specify ix. Scalability: Please Specify x. Power: At least dual redundancy power supply.

xi. Virtual: Please Specify ( VMware and Hyper-V)

xii. Number of nodes required: Please specify

Note: All the hardware’s be it servers, storages at any xiii. additional networks have to be provided with the solution

Bidders Response Sl no. Description Complaint Remarks (Y/N) to work from day one and should be able to keep data for 7 years in the storages.

9. Bill of Materials (BOM) i. Hardware: Please Specify

ii. Appliances: Please Specify

iii. Software: Please Specify

10. Bill of Quantity (BOQ)

Bidder should submit BOQ of proposed device including

i. the details part numbers and Manufacturer Warranty part number.

1.7. Conducting Vulnerability Assessment and Penetration Testing (VAPT) service of the Bank’s network:

Bidders Response Sl Specification Complied Detailed no (Yes/No) Explanation 1. General requirements Bidder should identify the people, processes, and I. technologies that are considered in-scope. Bidder should provide a detailed checklist of required II. documentation for the purposes of the engagement. The bidder should perform the VAPT in the DC-1 and DC- III. 2 as per the Bank’s current network architecture. Bidder should consider all the ip addresses of all the end devices present in DC-1 and DC-2 under the working scope. This also includes facilitating PCI-DSS IV. requirements as well as overall cardholder data environment (CHD), DNS systems, anti-virus system and file servers. 2. VAPT Activities Network device configuration reviews performed through the collection and analysis of data from a I. sampling of network devices, such as firewalls, routers and switches. Network based vulnerability scanning of a sample of internal systems to assess systems, network II. devices, and applications for vulnerabilities and security weaknesses. Review of automated scan results with manual testing to III. reduce false positive results. Host discovery to identify live hosts on in-scope IP IV. address ranges. Network based vulnerability scanning of Internet V. accessible network devices for vulnerabilities and security weaknesses. VAPT should be comprehensive but not limited to following activities:  Network Scanning  Port Scanning  System Identification & Trusted System Scanning  Vulnerability Scanning VI.  Malware Scanning  Spoofing  Scenario Analysis  Application Security Testing & Code Review  OS Fingerprinting  Service Fingerprinting

 Access Control Mapping  Denial Of Service (DOS) Attacks  DDOS Attacks  Authorization Testing  Lockout Testing  Password Cracking  Cookie Security  Functional validations  Containment Measure Testing  War Dialing  DMZ Network Architecture Review  Firewall Rule Base Review  Server Assessment (OS Security Configuration)  Security Device Assessment  Network Device Assessment  Database Assessment  Website Assessment (Process)  Vulnerability Research & Verification  IDS/IPS review & Fine tuning of Signatures  Man in the Middle attack  Man in the browser attack  Any other attacks Web Application assessment should be done as per latest OWASP guidelines including but not limited to the following:  Injection  Broken Authentication and Session Management  Cross-Site Scripting (XSS)  Insecure Direct Object References  Security configuration flaws  Insecure Cryptographic Storage VII.  Sensitive Data Exposure  Failure to Restrict URL Access  Missing Function Level Access Control  Cross-Site Request Forgery (CSRF)  Using Known Vulnerable Components  Un-validated Redirects and Forwards  Insufficient Transport Layer Protection  Any other attacks, which are vulnerable to the web sites and web applications 3. Deliverables The VAPT Report should contain the following:  Identification of Auditor (Address & contact information) I.  Dates and Locations of VAPT  Terms of reference  Standards followed

 Detailed outcome of the assessment

Summary of audit findings including identification tests, tools used and results of tests performed (like vulnerability assessment, penetration testing, application security assessment, website assessment etc.).  Tools used and methodology employed  Positive security aspects identified  List of vulnerabilities identified  Description of vulnerability 4.  Risk rating or severity of vulnerability  Category of Risk: Very High / High / Medium / Low  Test cases used for assessing the vulnerabilities  Illustration of the test cases  Applicable screenshots.  Analysis of vulnerabilities and issues of concern  Recommendations for corrective action  Personnel involved in the audit The VAPT Report should comprise the following sub reports:  VAPT Report – Executive Summary 5.  VAPT Report – Core Findings along with Risk Analysis  VAPT Report – Detailed Findings/Checklists  VAPT Report – Remediation of the vulnerabilities

ANNEXURE B: PROJECT MANAGEMENT

PROJECT MANAGEMENT

1. BANK’S PROJECT REPRESENTATIVE:

All project management and coordination for the Bank shall be through the following contact designated as the Project Representative given below:

SK. Shakil Ahmed Senior Assistant Vice President Head of IT Security Division K.B. Square (5th Floor) 736, Satmasjid Road Dhanmondi, Dhaka-1209 Bangladesh E-mail: [email protected]

The Bank will work with the successful bidder at each point of the project.

1.1. Any and all work performed under the resulting contract(s) shall be subject to approval and acceptance by the Bank Representative. In no instance shall the Bidder’s staff refer any matters to any Director or owners or any other high official in Dutch-Bangla unless initial contact, both verbal and in writing, regarding the matter has first been presented to the Bank’s Representative.

1.2. All correspondence from the Bidder shall be addressed directly to the Bank’s project Representative. The Bank’s project Representative shall be responsible for corresponding and arranging meetings with Bank personnel and outside Agencies and associations.

1.3. The Banks project representative shall document performance of the Bidder as to the satisfaction of any deliverables required to meet the requirements of the contact.

The Bidder will be required to perform their work in compliance with Bank technology standards, policies and procedures.

ANNEXURE C: USER TRAINING

USER TRAINING

Quoted Requirements Remarks Specification In-person Installation and Administration training- The vendor / supplier must provide adequate and 1. appropriate training to at least 10-12 bank personnel for an efficient operation of the system at Dhaka by a OEM certified trainer with OEM certified training materials Separate training has to be provided for the following tools/appliances- 1. Security Information and Event Management (SIEM) 2. Directory and Endpoint Support Service and 2. collection of all the information of the endpoints 3. Data Loss/Leakage Prevention (DLP) 4. Web Application Firewall (WAF) 5. Network Behavior Analysis (NBA)

A detailed training plan with specifications for 3. training courses, schedules, site and requirements must defined. The trainer should be from the OEM and should have at least two years of expertise and delivered 4. training on the specific domain on which training is being delivered. In case of overseas training all training expenses 5. like airfare, hotel, fooding, lodging, etc have to be borne by the vendor. 6. Training documentation have to be provided.

ANNEXURE D: DOCUMENTATION

DOCUMENTATION

Quoted Requirements Remarks Specification The vendor/supplier must provide a complete set of the following documentation: 1. - User’s manuals - Technical / Operator’s Manual The vendor / supplier shall provide / turn- cover 2. all system documentation (Technical and Functional Specifications, etc.), if applicable. The vendor / supplier must also provide upgrades 3. to manuals during the warranty period

ANNEXURE E: QUALIFICATION APPLICATION

Qualification application (To be submitted on the pad of the bidder)

Name of bidder:

Contact Info (for query):

1. Latest Audited Balance Sheet: Please attach audited copies of summary of annual accounts of past 3 years. Please do not attach Annual Report Booklet).

2. Company Profile: a) About Company : b) About Directors : c) About Senior Management : d) Profile of employees to be engaged in this Project :

3. Net Sales (in respective currency):

a) Current period : b) During the last financial year : c) During the year before last financial year :

4. Net Profit before Tax: a) Current period : b) During the last financial year : c) During the year before last financial year :

5. Bidder’s Financial arrangements: a) Own Resources : b) Bank Credit : c) Others (specify) :

6. Certificate of financial soundness from Bankers of Bidders :

7. Income Tax clearance: Please enclose copies of following documents: a) Details of Income Tax registration : b) Last Income Tax clearance certificate :

(Enclose necessary documentary proof)

ANNEXURE F: SUBMISSION FORM Submission Form (To be submitted on the pad of the bidder)

Head of IT Security Division Date: Dutch-Bangla Bank Ltd. IT Security Division K.B. Square (5th floor), 736, Dhanmondi, Dhaka-1209.

Subject: Submission of proposal for Gap analysis, remediation plan and rectification of gaps for PCI DSS v3.2 certification and enhancement of security infrastructure by assessing vulnerabilities and implementing SIEM, Directory and Endpoint Support Service, WAF, DLP, Network Behavior Analysis and conducting VAPT service for Dutch-Bangla Bank Limited..

Dear Sir,

With reference to your Tender Notice published in the Daily ………………. Dated ………………., I/We, being agreed to the rules/conditions as contained in the relative schedule # DBBL/100/ITSD/Tender/2017/01 of Dutch-Bangla Bank Limited, hereby submitted our proposal for “Gap analysis and preparation of remediation plan for PCI DSS v 3.2 certification and enhancement of security infrastructure by implementing SIEM, WAF, DLP, Network Behavior Analysis and Conducting Vulnerability Assessment and Penetration Testing service of the Bank’s network” which includes the Technical Proposal and Financial Proposal sealed under separate envelopes.

I/we would also like to provide the following the information of our company:

1. Company Name, Address : …………………………………………………. 2. Name of the Proprietor/ Partner/ Director : …………………………………………………. 3. Date of commencement of Business : …………………………………………………. 4. Nature of the business : …………………………………………………. 5. Total number of permanent employee : …………………………………………………. 6. Particulars of identical projects with other : …………………………………………………. Bank/ financial Institution (related papers are attached with the Technical Proposal) 7. Relevant papers mentioned in the : a) …………………………………………………. schedule are enclosed herewith b) …………………………………………………. c) …………………………………………………. d) …………………………………………………. e) …………………………………………………. I/we solemnly declare that the statements made above are correct. I/We agree that any misstatement made by us, if detected later on, shall render our application unacceptable to the Bank.

(Signature) (Name & designation of Authorized Signatory) (Name & Address of the Bidder with Seal) RFP for Gap analysis, remediation plan and rectification of gaps for PCI DSS v3.2 certification and enhancement of security infrastructure by assessing vulnerabilities and implementing SIEM, Directory and Endpoint Support Service, WAF, DLP, Network Behavior Analysis and conducting VAPT service for Dutch-Bangla Bank Limited. Page 91 of 92 DBBL/100/ITSD/Tender/2017/01

ANNEXURE G: BANK GUARANTEE

Bank Guarantee DUTCH-BANGLA BANK LTD. IT SECURITY DIVISION K.B. SQUARE (5TH FLOOR), 736, DHANMONDI, DHAKA-1209.

GUARANTEE NO: DATED: EXPIRY

WHREAS …………………. (HEREIN AFTER CALLED THE ‘SUPPLIER’) HAS UNDERTAKEN IN TERMS OF THE TENDER PUBLISHED IN DAILY …………..NEWS PAPER DATED………FOR SUPPLY INSTALLATION AND COMMISSION OF RELATED SERVICE, HARDWARE AND SOFTWARE UNDER THE A TOTAL VALUE OF .. …………… (……………………..) WITH DUTCH-BANGLA BANK LIMITED, IT SECURITY DIVISION, K.B. SQUARE (5TH FLOOR), 736 DHANMONDI, DHAKA-1209 (HEREIN AFTER CALLED THE CUSTOMER).

AND WHEREAS IT HAS BEEN ADVISED BY THE CUSTOMER THAT THE SUPPLIERS’ HAVING BUSINESS AT ……………… FLOOR, ………. ., DHAKA-………. SHALL FURNISH THE CUSTOMER WITH AN UNCONDITIONAL BANK GUARANTEE BY A RECOGNIZED BANK, ACCEPTABLE TO THE CUSTOMER FOR THE SUM OF … …………….. (………….) FOR 06 (SIX) MONTHS AS SECURITY MONEY AS PER THE TERMS OF THE TENDER.

WE (BANK NAME, ADDRESS), HEREBY IRREVOCABLY UNDERTAKE TO PAY UP TO THE SUM OF TAKA …………… (……………) UPON RECEIPT OF YOUR FIRST WRITTEN DEMAND AND WITHOUT CAVIL OR ARGUMENT, ANY SUM OR SUMS SET OUT IN SUCH WRITTEN DEMAND, WE ACKNOWLEDGE THAT THE CUSTOMER WILL NOT BE REQUIRED TO PROVE OR SHOW GROUND(S) OF REASON(S) FOR THE DEMAND FOR THE SUM SPECIFIED HEREIN.

OUR MAXIMUM LIABILITY UNDER THIS GUARANTEE SHALL IN NO EVENT EXCEED THE AGRREGATE SUM OF Tk …………….. (……….) ONLY.

THIS GUARANTEE IS VALID FROM ……… UNTIL CLOSE OF BANKING BUSINESS IN BANGLADESH AT 5.00 PM ON ……… (HEREIN AFTER CALLED “THE EXPIRY DATE”) AND ANY CLAIM FOR PAYMENT IN THIS RESPECT MUST REACH THE BANK ON OR BEFORE THE EXPIRY DATE. THIS GUARANTEE MAY BE EXTENDED FOR THE FURTHER PERIOD OF SIX MONTHS OR ANY PERIOD SPECIFIED BY THE BUYER UPON RECEIPT OF THE WRITTEN REQUEST FROM THE CUSTOMER. AFTER THE EXPIRY, THIS GUARANTEE SHALL AUTOMATICALLY BECOME NULL AND VOID NOTWITHSTANDING THE FACT THAT THIS GUARANTEE IS NOT RETURNED TO US FOR OUR CANCELLATION.

DHAKA

DATE…………….