Telangana Technology Services Ltd

Office at 5-10-103/40/206, 2nd Floor, HACA Bhavan,

Opp. Public Gardens, Hyderabad – 500004, Telangana
Web site: http://TGTS.telangana.gov.in
CIN NO: U74900TG2015SGC101517

Tender Ref.No.TGTS/CS/SAUDIT/RC/2024, Dt: 04.02.2025

Tender Document

To,
All the CERT-IN empanelled Agencies

Sub: TGTS – Rate Contract Empanelment with TGTS for 2 Years for undertaking Audits for Telangana
State Govt Departments/PSUs – Bids Requested - Reg.
***
Attention is invited to the subject cited above.

TGTS on behalf of the Government of Telangana invites bids from only CERT-In empanelled Agencies,
towards Undertaking Various Audits & Certification of Application Security VAPT on need basis.

Time Schedule of various tender related events

Bid calling date 04.02.2025 , 03:00 PM on eProcurement portal

Bid closing date/time 11.02.2025 , 03:00 PM on eProcurement portal
Bid opening date/time 11.02.2025 , 04:00 PM on eProcurement portal
Bid Document Fee Rs. 5,000/- in the form of DD in favor of the Managing Director,
Telangana Technology Services Ltd., Hyderabad‛
EMD (refundable) Rs. 1,00,000/- in the form of DD/BG/Online in favor of the Managing
Director, Telangana Technology Services Ltd., Hyderabad
TGTSL Contact person Managing Director: mngdirector-tgts@telangana.gov.in

General Manager : rpushpa-tgts@telangana.gov.in

i/c. General Manager : bvrao-tgts-ts@telangana.gov.in

Rate Contract Period 2 Years from date of issue of Letter of Empanelment.
TGTSL Reference No. TGTS/CS/SAUDIT/RC/2024

EMD shall be submitted in the form of Demand Draft or an unconditional Bank Guarantee (which

should be valid for 3 months from the last date of bid submission) of any Nationalized Bank (operating

in India having branch at Hyderabad) in the name of ‚Telangana Technology Services Ltd.‛ payable at

Hyderabad submitted along with the covering letter.

Note: Bidders who wish to participate in this bid will have to register on https://tender.telangana.gov.in
Further bidders who wish to participate in online bids will have to procure Digital Certificate as per
Information Technology Act 2000 using which they can sign their electronic bids.

1|Page
 1. Introduction & Services Required:

# Service Description
1 Security Audit of portals with dynamic web application
2 Security Audit of Portal with Static web pages
3 Security Audit of Mobile Application
4 Security Audit of Web Services/API
5 Renewal of Security Audit of web applications
6 Network security audit (VAPT)
7 Configuration Audit – Servers/Devices
8 Wireless security audit
9 Compliance audits (ISO 27001, IEC 62443, IEC 27019, PCI, etc.)
10 Finance Sector Audits (Swift, ATMs, API, Payment Gateway etc.)
11 Cloud security Audits
12 Physical Access Controls & Security testing
13 Information Security Testing
14 Business Continuity Planning / Disaster Recovery Audit
15 Application Source Code Review

1. The Telangana State Government Departments requests TGTS to undertake various Audits related to
URLs, Applications, Compliance audits for their applications.

2. To undertake the said work, TGTS intends to empanel CeRT-In Empanelled/Certified Agencies for
each line service indicated in the table for a period of 2 Years under Rate Contract method. The
auditor may not participate for each item and participation should be based on the required skill set
available for a particular service. TGTS desires to have service wise expertise empanelment.

3. The identified Agencies should undertake Audit for the purpose of providing an independent
assessment on governance, risk management, and control processes of an Application/ Portal.

4. All the relevant information related to Webportals/ Applications to be audited shall be informed with
Work Order to undertake work.

5. The required technical details shall be shared by respective Client Departments to the Audit agency
directly post issuance of Work Order by TGTS.

6. The Audit should provide independent review and examination of a system's records and activities
to determine the adequacy of system controls, ensure compliance with established security policy
and procedures, detect breaches in security services, and recommend any changes that are indicated
for countermeasure.

7. The identified Agency(s) should:

 Identify vulnerabilities and risks in web/mobile applications and networking infrastructure
 Validating the effectiveness of current security safeguards
 Quantifying the risk to the internal systems and confidential information
 Providing detailed remediation steps to detect existing flaws and prevent future attacks
2|Page
  Validating the effectiveness of security and system updates/upgrades
 Protecting the integrity of assets in case of existing malicious code hidden in any of them
 Help to achieve and maintain compliance with applicable standards & regulations

8. The Auditor is expected to carry out an assessment of the vulnerabilities, threats and risks that may
exist in the above website through Internet Vulnerability Assessment and Penetration Testing which
includes identifying remedial solutions and recommendations for implementation of the same to
mitigate all identified risks, with the objective of enhancing the security of the website. The website
audit should be done by using Industry Standards and as per the Open Web Application Security
Project (OWASP) methodology.

Qualification & Evaluation Criteria:

1. Pre-Qualification Criteria for records
The bidder participating in the tender process shall produce the following minimum eligibility criteria
supporting documents.
# Pre-Qualification Criteria Support Documents to be submitted.
1. Empanelment with CERT-In : The bidder must be an Copies of valid empanelment
empaneled auditor of CERT-In, having an certificates issued by CERT-In as
empanelment certificate. Copy of authorization with on Date of Bid Submission
valid CERT-In empanelment certificate to be
furnished.
2. GST Registration: The bidder should have a Copies of relevant certificates of
registered number of registration.
i. GST ; ii. Income Tax / Pan number. CA Certificate with CA’s
The bidder should have cleared his GST dues to the Registration Number/ Seal
Government. specifying that Service Tax dues to
the Govt. have been paid till date.
3. Past Experience: The Bidder should have executed at Copies of agreements, work
least 05 IS Security Audit/Assessment and completion certificates from Head
Penetration Testing Projects for any Government / of the Department (HoD).
Banks / Financial Institution / PSU in the country in
each year for last 5 years. Out of which, the Bidder Brief detail of the projects handled
should have conducted IS Security Audit/assessment should be added chronologically.
and penetration testing for at least one or two
enterprises totaling to 2000+ Computing Devices
(IPs) from these enterprises. The individual order
value from such projects should be above Rs.2 Lakhs.
The bidder should have capability to showcase the Compliance to be submitted
findings on the online platform. The platform should
also be able to map the vulnerabilities to OWASP
(Open Web Application Security Project) top 10 &
SANS (SysAdmin, Audit, Network and Security) to
20. Platform should provide the attack tree and
common open/vulnerable ports.
4. Manpower Availability: The Bidder must have on its Proof of certification along with
rolls, on permanent employment basis, a minimum of candidate’s resumes should be
Five (05 Nos) Certified professionals. They must attached.

3|Page
 deploy at least Two (2) professionals who hold valid An undertaking to this effect shall
professional certifications like CISA/CHFI/CEH/ be submitted by the bidder in the
CISM/CISSP/ ISO 27001 LA/BS 7799LA/ISO27001 LA. bid.
Auditing company must deploy their full time
employees only, where as outsourcing to
external/outside consultants or subcontracting to
other companies is not acceptable. Personnel
deployed for this engagement must have a valid
police verification certificate.
5. Mandatory Undertaking/ NDA: Bidder should A Self Certified letter as per
submit an undertaking/ NDA Annexure: Self-Declaration
6. Local Presence: Details to be submitted.
The bidder should have local Office / local Technical
team in Hyderabad /Telangana State for undertaking
works involving Onsite team deployment.

Note:
1. Only CeRT-In empaneled Active Agencies as on bid calling date to participate.
2. All correspondence should be with TGTS contact person in writing only. Companies not fulfilling
above criteria shall be summarily rejected. Bids without supporting documents shall be treated as
non-responsive & rejected.
3. Any bidder who offers discounts/ benefits suo-motu after opening of commercial bid(s) will be
automatically disqualified from the current bidding process without any prior notification and
also may be disqualified for future bidding processes in TGTS.

4. All the Forms should be filled-in, submitted on bidders Letter head along with relevant
supporting documents.
5. Consortium bidding & sub-contracting is not permitted.

Bid Evaluation Criteria:

A. Bidders may submit bid for all the services (or) any of the services based on expertise, mentioned
in tender document.

B. As part of technical bid, bidder should provide details of List of Information Security Audit
Tools used (commercial/ freeware/proprietary)

C. The Commercial bid evaluation shall be on Least Cost Method for Service Category & L1 price
for each service shall be identified for Empanelment. The bidders willing to match the service
wise L1 price shall be considered for Empanelment.

D. 2 to 3 Agencies shall be empanelled service wise based on the need & requirement.

E. The price quoted in the bid should be valid for 2 years Rate Contract Period.

F. Conditional bids shall be rejected.

G. Any bid having Commercial quotes in Technical bid shall be rejected/ disqualified.

Payment Terms:
100% payment will be made to Agency only after submitting the final audit certificate along with
deliverables and acceptance by Client Dept.

4|Page
Other Terms:
A. TGTSL reserves their right in not considering the bid of a bidder, if such bidder was a previous
supplier and had a past bad track record or their earlier performance was unsatisfactory on any
count.
B. The prices shall be quoted in Indian Rupees only.
C. All taxes, duties, levies applicable etc. shall be clearly indicated.
D. Prices quoted must be final and shall remain constant throughout the period of validity of bid
and shall not be subject to any upward modifications, whatsoever.
E. Bidders shall indicate their rates in clear/visible figures as well as in words and shall not
alter/overwrite/make cutting in the quotation
-------------------------------------------------------------------------------------------------------------------------------------------

2. Detailed Scope of Work

2.1 Introduction

The departments of Government of Telangana have IT infrastructure comprising of Servers, Network

Infrastructure, Operating System Software, Application Software, etc., and desires to get the IS Security
Audit done which includes Vulnerability Assessment/ Audit and Penetration Test of other department
portals as per the details (@Annexure by CERT-In empanelled external agency.

Further, as per the policy of Telangana State Data Centre, it is mandatory that the websites/web
applications undergo security audit to obtain a ‘Safe to Host’ certification. The web
applications/websites need a Web application scanning solution that can scan for security loopholes in
Web based applications to prevent would be hackers from gaining unauthorized access to corporate
information and data. Web applications are proving to be the weakest link and are easy to hack.
Therefore, intrusion detection and defense mechanisms are required to mitigate breach of security
perimeters and gain unauthorized access to an organization’s network.

For Security Assessment/Audit, an iterative testing procedure shall be followed, with a gap for issues
identified during each iteration. At the end of each iteration, a report detailing the vulnerabilities
identified, if any, should be admitted. It will be the responsibility of the concerned Client Department to
plug these vulnerabilities, do a first level checking that the vulnerabilities identified have been
corrected, before providing the web application for the second iteration. The vendor should cover at
least three iterations.

i. Level 1 Security Audit/Assessment:

Selected IT Security Audit agency shall be responsible for the assessment of the security,
vulnerabilities, threat and risks that exist in Web applications of GOT by running Internet
Vulnerability assessment and Penetration Testing Scripts with appropriate usage of testing tools.
All the assessment methodology and testing procedures should be based on Industry best
practices and standards mentioned at Section 2.1

ii. Level 2: Re-Audit based on the recommendation report from Level 1:

The selected ISA shall undertake vulnerability assessment exercise on the rectified and
corrected Web applications/ERP systems submitted by the application development team of the
concerned client department post Level 1. ISA shall also submit the detailed recommendation
report for the vulnerabilities identified at Level 1 along with the summary/ checklist of
vulnerabilities identified with subsequent correction status.

5|Page
iii. Issuance of ‘Safe to Host Certificate’
Web applications/ERP systems security audit are to be conducted in iterative cycles (called as
level) of testing and code correction till identified as ‘Safe for hosting’. TGTS expects that all the
vulnerabilities and potential threats would get rectified by the end of Level 2 or Level 3, once
done selected ISA shall be responsible for the issuance of ‘safe to Host’ certificate for the
considered Web applications/ERP systems and submit the Final Audit Report.

The selected ISA shall be responsible to undertake the Security Audit as per Industry Standards and
methods and provide assurance as per the following acts:

 Information Technology Act, 2000 as amended in 2008 and thereof http://meity.gov.in/

sites/upload_files/dit/files/downloads/itact2000/it_amendment_act2008.pdf, etc)
 Guidelines for Indian Government websites(GIGW)- NIC & DARPG
 CERT-In guidelines for web security & security audit (http://www.cert-in.org.in)
 Applicable best practices and industry standards like open web application security project
(OWASP) Top 10, SANS Top 20, ISO27001/ ISO 27001(2), OSSTM etc during the auditing
process.
 TGTS may choose to avail follow up audit service depending on the necessity and guide lines of
Department of Electronics and Information Technology, GOI on this issue.

2.2 Implementing and Participating Agencies (Stakeholders)

The project shall deliver benefits to various stakeholders associated with the functioning of the
Client Department. The following key stakeholders have been identified for this project.
a. The concerned Line Department / Client Department
b. Telangana Technology Services Limited (TGTSL)
c. Selected IT Security Auditor(s) (ISA)

2.3 Scope of Work for Web based Application Security Audit

a. Security Audit of Web Applications : The selected IT Security Audit Agency shall be responsible
for the assessment of the vulnerabilities, threats and risks that exist in website through Internet
Vulnerability Assessment, Penetration Testing and Industry standard methodologies. This will
include identifying remedial solutions and recommendations for implementation of the same to
mitigate all identified risks, with the objective of enhancing the security of the website. The bidder
will also be expected to propose a risk mitigation strategy as well as give specific recommendations
to tackle the residual risks emerging out of identified vulnerabilities assessment. The Website
includes HTML pages, dynamic pages or static pages developed using CMS, multi portal web
applications and modules/Web applications integrated in the website using backend databases,
payment gateway, encryption etc.

b. Services to be Performed: IT Security Audit Agency should check for the below indicative list of
potential threats and attacks which are vulnerable to the Websites / Web application and shall
submit a detailed recommendation report for the identified vulnerability.
# Potential Threats Definition
1. Injection Flaws Injection flaws, such as SQL, OS, and LDAP injection, occur
when un-trusted data is sent to an interpreter as part of a
command or query. The attacker’s hostile data can trick the
interpreter into executing unintended commands or

6|Page
 accessing unauthorized data.
2. Cross-Site-Scripting XSS flaws occur whenever an application takes untrusted
(XSS) data and sends it to a web browser without proper
validation and escaping. XSS allows attackers to execute
scripts in the victim’s browser which can hijack user
sessions, deface web sites, or redirect the user to malicious
sites.
3. Broken Application functions related to authentication and session
Authentication management are often not implemented correctly, allowing
and Session attackers to compromise passwords, keys, session tokens, or
Management exploit other implementation flaws to assume other users’
identities.
4. Insecure Direct A direct object reference occurs when a developer exposes a
Object References reference to an internal implementation object, such as a file,
directory, or database key. Without an access control check
or other protection, attackers can manipulate these
references to access unauthorized data.
5. Malicious File Code vulnerable to remote file inclusion (RFI) allows
Execution attackers to include hostile code and data, resulting in
devastating attacks, such as total server compromise.
Malicious file execution attacks affect PHP, XML and any
framework, which accepts filenames or files from users.
6. Cross-Site Request CSRF attack forces a logged on victim’s browser to send a
Forgery (CSRF) forged HTTP request, including the victim’s session cookie
and any other automatically included authentication
information, to a vulnerable web application. This allows
the attacker to force the victim’s browser to generate
requests for the vulnerable application, which in turn thinks
are legitimate requests from the victim.
7. Security Mis-configuration Good security requires having a secure configuration
(NEW) defined and deployed for the application, frameworks,
application server, web server, database server, and
platform. All these settings should be defined,
implemented, and maintained as many are not shipped with
secure defaults. This includes keeping all software up to
date, including all code libraries used by the application.
8. Insecure Cryptographic Many web applications/ websites do not properly protect
Storage and Weak Ciphers sensitive data, such as credit cards, SSNs, and
and Session Keys authentication credentials, with appropriate encryption or
hashing. Attackers may steal or modify such weakly
protected data to conduct identity theft, credit card fraud, or
other crimes.
9. Information Leakage and Applications can unintentionally leak information about
Improper Error Handling their configuration, internal workings, or violate privacy
through a variety of application problems. Attackers use
this weakness to steal sensitive data, or conduct more
serious attacks.
10. Failure to Restrict Many web applications check URL access rights before
URL Access rendering protected links and buttons. However,
applications need to perform similar access control checks
each time these pages are accessed, or attackers will be able

7|Page
 to forge URLs to access these hidden pages anyway
11. Information Whether there is an evidence to confirm that sufficient logs
tampering by are maintained for all transactions and systems are in place
forensic evidence to capture and maintain forensic evidence in a manner that
maintains control over the evidence and prevents tampering
with and collection of false evidence
12. Insufficient Applications frequently fail to authenticate, encrypt, and
Transport protect the confidentiality and integrity of sensitive network
Layer Protection traffic. When they do, they sometimes support weak
algorithms, use expired or invalid certificates, or do not use
them correctly.
13. Un-validated Web applications frequently redirect and forward users to
Redirects other pages and websites, and use un-trusted data to
and Forwards determine the destination pages. Without proper validation,
attackers can redirect victims to phishing or malware sites,
or use forwards to access unauthorized pages.

Additional Testing for the following exploitable vulnerabilities:

 Canonicalization (standardization or normalization))
 Insecure Communications (clear text protocols like telnet, ftp for sensitive data)
 URL Access, Regular Expression Checks, Tainted Parameters, Header Integrity
 Path Manipulation, Thread Safety, Hidden Form Field Manipulation
 Fail Open Authentication, Weak Session Cookies, Miss configurations and Weak Passwords.
The above list is only indicative; hence selected IT Security Audit Agency shall also be responsible to
carry out the assessment for any other attack which is vulnerable to the website/web application.
c. Detailed Analysis of Application Components
 Operating System
 Web Server and
 Databases
Within each of these Web Components, ISA must analyze and test the following security areas:
 Configuration Security
 Audit Logging
 Security of Directory Structures
 Volumes
 Patches and Hot Fixes
 Services
 Ports
 Protocols
 Access
 Password
 Account Controls &
 Registry Settings etc.
d. Privileged Testing
 Authorized User’s Ability to Elevate Privileges
 Authorized User’s Ability to View Other User/Account Data

8|Page
  Authorized User’s Ability to Add/Modify/Delete other Account Data
 Authorized User’s Existing Access is Appropriate Based Upon Role
2.4 Deliverables and Audit Reports:

The audit agency should submit the following as part of Audit:

A detailed report with security status and discovered vulnerabilities weakness and
misconfigurations with associated risk levels and recommended actions for risk mitigations for
Web Application Security Report with a summary of High, Medium and Low vulnerabilities
i. Application Security Posture Assessment Approach.
ii. Snapshot of Current Application Information Security Posture
 Map Organizations reports to OWASP Top 10 errors
 Map Organizations web application errors to Top 25 programming errors per OWASP
 Summary of High Risk, Medium Risk and Low Risk Vulnerabilities specific to the
enterprise.
iii. Security posture assessment
 External Security Posture, and
 Internal Security Posture.
iv. Penetration Testing Summary
 Analysis of Top 10 Configuration Errors and Top 25 Programming Errors per OWASP.
 Attack Types and Attack Methods Used
 Common Hacker Techniques
 Data Integrity Analysis
v. Recommendation for optimization and enhancement to the existing application wherever
applicable
vi. For the website having integration with the payment gateway, bidder may need to furnish
Vendor Site Compliance Certificate as per the format provided by the Bank / TGTS
vii. Summary of Privilege Testing
viii. Summary and detailed reports on security risk, vulnerabilities and audit with the necessary
counter measures and recommended corrective actions to be undertaken.
ix. The final security audit certificate should be in compliance with the standards

2.5 Others
i. The vendor shall maintain the validity of CERT-In empanelled certificate till the end of the
audit.
ii. Bidder must have the capability to carry out the technical network and system security
assessment/audit without access to usernames or passwords of any sort. No test accounts
need to be created for the auditors on the network or systems for network security
assessments.
iii. The bidder and/or their representatives shall be responsible for ensuring security and secrecy
of the information coming to their knowledge during the discharge of their obligations.

9|Page
 iv. Web application security audit should be conducted on a Staging Server in an ‚as is where
is‛ basis will be almost replica of the live deployment.
v. Auditing on the live site if any conducted should be non destructive and should not affect
the system.
vi. For Web Application Security Assessment/Audit, an iterative testing procedure shall be
followed, with a gap for fixing issues identified during each iteration. The vendor should
cover at least three iterations. No additional price will be paid for what so ever reason.
vii. At the end of each iteration, a report detailing the vulnerabilities identified, if any, should be
submitted.
viii. Any configuration changes, patch updates, rule changes or application code changes
suggested by the auditor to remediate will be fixed by the department in 2 weeks from the
submission of findings to the department. The auditor should check if the vulnerabilities
have been mitigated by department after the findings have been closed by the department.
ix. The auditing organization should notify the persons in department in writing before
performing any Denial of Service attacks or Distributed Denial of Service attacks.
x. When IS Audit has to be done for any network infrastructure or operating systems, the
vendor should check if the security best practices of the vendors or OEM given by them have
been followed. If no such practices are followed by the customer (i.e. Telangana ITE&C)
department, the auditor should make a note of the findings.
2.6 Roles and Responsibilities
2.6.1 Roles and Responsibilities of Selected IT Security Audit Agency
 Verify possible vulnerable services only with explicit written permission from the relevant
authority.
 Refrain from security testing of highly insecure and unstable systems, locations, and
processes until the security has been put in place.
 With or without a Non-Disclosure Agreement contract, the IT Security Audit Agency is
ethically bound to confidentiality, non-disclosure of customer information, and security
testing results.
 IT Security Audit Agency should have clarity in explaining the limits and dangers of the
security test.
 In the case of remote testing, the origin of the testers by telephone numbers and/or IP
addresses is made known.
 Seeking specific permission for tests involving survivability failures, denial of service,
process testing, or social engineering will be taken.
 The scope is clearly defined contractually before verifying vulnerable services and explains
the limits of the security test.
 The test plan should include calendar time, man-hours and total hours of testing.
 The IT Security Audit Agency should possess complete know how of the tools to be used as
part of the scope of this work such as where the tools came from, working of the tool etc. and
shall have prior exposure of testing the desired tools in a restricted test area before using the
tools on the customer organization.
 Notify TGTS /Department whenever the IT Security Audit Agency changes the auditing plan
and source test venue, has high risk findings, previous to running new, high risk or high
traffic tests, and if any testing problems have occurred. Additionally, the customer shall get
notified with progress updates at reasonable intervals.
10 | P a g e
  Submission of all the reports to be submitted as part of the IT Security procedure and
processes govern by applicable best practices and Industry Standards which include
Vulnerability/ Mis-configuration Assessment Report, Risk Mitigation & Recommendation
Report, Compliance Report, Check List, Audit Report, Executive Summary and Final
Compliance Report after all observations.
 Issuance of ‚Safe to Host Certification‛ after clearing all the Industry Standard procedure
and processes.
 Bidder has to submit the compliance towards the following vulnerabilities along with the
Security Audit certificate. Details are as follows:
# Vulnerabilities Compliance (Y/N)
1 Structure Query Language Injection (SQLi)
2 Directory listing and Information Disclosure
3 Cross-Site Scripting (stored and reflected)
4 Apache Server Status (security Misconfiguration)
5 Default credentials on the admin page
6 Php info page (security Misconfiguration)
7 Insufficient Transport Layer protection (clear text
submission)
8 Load balancer details with administrative privileges

 All communication channels for delivery of report are end-to-end and must be kept
confidential at all point of time.

2.6.2 Responsibilities of TGTS /Department

 TGTS/ Client Department refrain from carrying out any unusual or major network changes
during auditing/ testing.
 If necessary for privileged testing, TGTS/ Department provides for necessary access tokens
whether they are login and passwords, certificates, secure ID numbers, etc. which are typical
to the users of the privileges being tested.
2.6.3 Performance Security
A. The Successful bidder must submit Performance Bank Guarantee of lumpsum of Rs.1,00,000/-
within 15 working days from the receipt of Letter of Empanelment for a period of 2 yerars.
The bank guarantee must be submitted in the name of ‚TGTS‛ from any Nationalized Bank
including the public sector bank or Private Sector Banks authorized by RBI or Commercial Bank.
B. The Performance Security shall be in the form of Bank Guarantee valid for duration of 30 days
beyond the expiry of contract.
C. The proceeds of the performance security shall be payable to TGTS as compensation for any loss
resulting from the Service Provider’s failure to complete its obligations under the Contract.
D. The Performance Security shall be denominated in Indian Rupees
Laws Governing contract: - The contract shall be governed by the laws of India for time being in force.
Jurisdiction of courts: The courts of Hyderabad-Telangana State shall alone have the jurisdiction to
decide any dispute arising out of or in respect of the contract.

General Manager-TGTS

11 | P a g e
 Bidding Forms

SELF-DECLARATION

{to be filled by the bidder}

To,

The Managing Director,

Telangana Technology Services
,

In response to the Tender Ref. No. dated for

{Project Title}, as an Owner/ Partner/ Director/ Auth. Sign. of
, I/ We hereby declare that presently our Company/
firm , at the time of bidding,: -
a) possess the necessary professional, technical, financial and managerial resources and
competence required by the Bidding Document issued by the Procuring Entity;
b) have fulfilled my/ our obligation to pay such of the taxes payable to the Union and the
State Government or any local authority as specified in the Bidding Document;
c) is having unblemished record and is not declared ineligible for corrupt & fraudulent
practices either indefinitely or for a particular period of time by any State/ Central
government/ PSU/ UT.
d) does not have any previous transgressions with any entity in India or any other country
during the last three years
e) does not have any debarment by any other procuring entity
f) is not insolvent in receivership, bankrupt or being wound up, not have its affairs
administered by a court or a judicial officer, not have its business activities suspended and
is not the subject of legal proceedings for any of the foregoing reasons;
g) does not have, and our directors and officers not have been convicted of any criminal
offence related to their professional conduct or the making of false statements or
misrepresentations as to their qualifications to enter into a procurement contract within a
period of three years preceding the commencement of the procurement process, or not
have been otherwise disqualified pursuant to debarment proceedings;
h) does not have a conflict of interest as mentioned in the bidding document which materially
affects the fair competition.
i) will comply with the code of integrity as specified in the bidding document.
If this declaration is found to be incorrect then without prejudice to any other action that may be
taken as per the provisions of the applicable Act and Rules thereto prescribed by GoR, my/ our
security may be forfeited in full and our bid, to the extent accepted, may be cancelled.
Thanking you,
Name of the Bidder: -
Authorised Signatory: -
Seal of the Organization: -
Date:
Place:

12 | P a g e
 Form P1 – General Information of Bidder

Supporting Documents with

# Description
page nos.
1 Name of the Company

Date of Incorporation (Registration

2 ROC, PAN & GST.
Number & Registering Authority) PAN No.
and GST
Legal Status of the Company in India &
3 Public Ltd Company/ Private
Nature of Business in India

4 Address of the Registered Office in India

Name:
Name & e-mail id, Mobile number, fax of Designation
5
the Contact Person Mobile
Email:
6 Website
7 Certification Details Certificate No:
A. CeRT-IN Valid Till:
Issued by:
B. ISO 9001
C. ISO 27001
D. Any other certifications
Amount:
8 DD No. & Date
EMD details
Name of the
Bank:
Valid up to:
Receipt No:
9 Proof of purchase of bid document Date of purchase:

Date Signature of Bidder & Stamp

13 | P a g e
 Form P2- Financial Turnover Details
(All values in Rs. crore)
# Turnover
Net Worth of
Financial Year Total turnover of Turnover from
Similar Services Company
the bidder
(1) (2) (3) (5)
1 2021-22
2 2022-23
3 2023-24

Note:
A. Turnover in areas other than mentioned above shall not be considered for evaluation.
B. Please attach audited Balance Sheets and IT return statements to
confirming the figures mentioned in columns (2).

Form P3-Details of Past Project Experience

Description of Detail
Item s
Name of the Client Department

Contact address & details of the department

Value of the Project Rs.

Services rendered

Date of Start of Work (DD/MM/YY)

Date of Completion of Work (DD/MM/YY)

Identified bidder should submit any of the following:

i. PO / Work order
ii. Work completion certificates / Performance Certificate from
client dept. duly signed by the authorized signatory from the
Client end.

Enclosures submitted: Yes / No

Place: Bidder’s signature

Date: and seal.

14 | P a g e
 Form T1- Technical Bid Proposal

The bidder should submit Technical Proposal the following:

1. Approach & Methodology to undertake required Audits.

2. Expertise in the specific areas.
3. Industry Best practices & Standards in Audits for compliance.
4. List of Information Security Audit Tools used (commercial/ freeware/proprietary)
Copy of licenses of the tools which will be used for security audits. In case of open
source, submit the undertaking for the same with details.
5. Details of technical manpower proposed along with experience, certifications to be
deployed for undertaking information security audits in Government.
6. Any Other Relevant information

DATE : _________ SIGNATURE OF BIDDER & STAMP

15 | P a g e
 Form - F1 Financial Bid Format
Schedule 1:

ONLINE ONSITE
Qty
# Categorization of Service Total price incl. taxes Total price incl. taxes
(Nos)
and duties etc (Rs.) and duties etc (Rs.)
1 Static Web applications hosted on 01
windows /Linux or equivalent 35 web
pages approx.
2 Dynamic Web applications hosted on 01
windows /Linux or equivalent
Static web pages: 20
Dynamic pages : 30
Input fields:300
3 Security Audit of Mobile applications 01
4 Web services/API 01
5 Network security audit (VAPT) 01
6 Configuration Audit – 01
Servers/Devices
7 Wireless security audit 01
8 Compliance audits 01
a.ISO 27001
b.IEC 62443 01
c.IEC 27019 01
d.PCI 01
9 Finance Sector Audits 01
a. Swift
b. ATMs 01
c. Payment Gateway Application 01
10 Cloud security Audits
a. Simple: with static pages/lines of 01
code
b. Medium: with below 25 dynamic 01
pages/ forms/ lines of code
c. Complex: more than 25 dynamic 01
pages/forms/lines of code
11 Physical Access Controls & Security 01
testing
12 Information Security Testing 01
13 Business Continuity Planning / 01
Disaster Recovery Audit
14 Application Source Code Review 01
a. Simple: with static pages/ lines of
code
b. Medium: with below 25 dynamic 01
pages/ forms/ lines of code
c. Complex: more than 25 dynamic 01

16 | P a g e
pages/forms/lines of code
TOTAL (Rs.)
Grand Total (Rs.)

Schedule 2:
A. ONLINE Handling of Audit:
# Item Description Renewal of Security audit of portals based on
Schedule 1 - % of quoted price
Renewal of Security Static web Dynamic web Mobile Web
1 audit of portals Based on application application Application services
Schedule 1

B. ONSITE Handling of Audit:

# Item Description Renewal of Security audit of portals based on
Schedule 1 - % of quoted price
Renewal of Security Static web Dynamic web Mobile Web
1 audit of portals Based on application application Application services
Schedule 1

Schedule –3 (Web Page Wise Pricing )

# Desktop / Mobile Website Qty ONLINE ONSITE

and Web Applications (Nos) Total price incl. taxes Total price incl. taxes
and duties etc (Rs.) and duties etc (Rs.)
1 Static web page (per page) 01
2 Dynamic web page (per page) 01
3 Input fields (per field) 01

# Item Description Renewal of Security audit of portals based on

Schedule 3 - % of quoted price
ONLINE ONSITE
1 Static web application
2 Dynamic web application

Note:
1. L1 will be selected on Service Wise and considered for Empanelment
2. The Grand Total value of Schedule 1 should be entered in eprocurement portal as a Lumpsum
value. However, the L1 evaluation shall be undertaken as per Bid Evaluation criteria.

DATE : _________ SIGNATURE OF BIDDER & STAMP

--o0o--

17 | P a g e