SERVICE STC
SPECIAL TERMS AND CONDITIONS FOR
Cyber Security Audit Service

1. Preamble
A. All contracts related to Cyber Security Audit (TPA) services placed through GeM portal shall be governed by the following set of Terms and Conditions:
I. General terms and conditions for Goods and Services (“GTC”)
II. Service specific Special Terms and Conditions (“STC”) contained in this document
III. BID / Reverse Auction specific Additional Terms and Conditions (“ATC”) as maybe specified by the Buyer

B. The above terms and conditions are in reverse order of precedence i.e. ATC shall supersede Service specific STC which shall supersede GTC, whenever there are any conflicting provisions. 

C. This document represents the Special Terms and Conditions (STC) and the Service Level Agreement (SLA) governing the contract between the Government department/Buyer/ Client and Agency/Service Provider. The purpose of this document is to outline the scope of work, stakeholders’ obligations and terms and conditions of all services covered as mutually understood by the stakeholders.

2. Objectives and Goal
The objective of this document is to ensure that all the special terms and conditions are in place to ensure consistent delivery of services to the Buyer by the Service Provider. The goal of this document is to:
⦁ Provide clear reference to service ownership, accountability, roles and responsibilities of both parties
⦁ Present a clear, concise and measurable description of services offered to the Buyer
⦁ Establish terms and conditions for all the involved stakeholders, it also includes the actions to be taken in case of failure to comply with conditions specified
⦁ To ensure that both the parties understand the consequences in case of termination of services due to any of the stated reasons
This document will act as a reference document that both the parties have understood the above-mentioned terms and conditions and have agreed to comply by the same. 

3. Stakeholders
The main stakeholders associated with this agreement are:
i. Buyer: The Buyer/ Client is responsible to provide clear instructions, approvals and timely payments for the services availed as per the contractual terms
ii. Service Provider: The service provider is responsible to provide all the required services in timely manner and to the satisfaction of Buyer / its authorized representative. The service provider may also include seller, supplier/bidder/contractor, any authorized agents, permitted assignees, successors, and nominees as per the context and as described in the document.
The responsibilities and obligations of the stakeholders have been outlined in this document. The document also encompasses payment terms and deductions in case of non-adherence to the defined terms and conditions. 

4. Service Scope

The objective of cyber security or IT security audit is to provide objective assurance and audit services to monitor/assess the conformance of any infrastructure with laid down policies, standards, processes, laws and regulation. It helps identify risks and improve the effectiveness of infrastructure, operations, service level management, control and governance processes. The following activities would be included as part of scope:
i. Establish an audit methodology in discussion with the Buyer to ensure the consistency and comparability of the audit on a regular basis 
ii. Study the relevant guidelines and contract of existing System Integrator with the Buyer to understand its offering and SLA commitments
iii. Create a framework and procedure for carrying out the audit. In cases of significant non-compliance, establish a mechanism to resolve audit observations 
iv. Prepare various templates required to be filled in by the various stakeholders involved in the audit process  
v. Prepare/review annual audit plan including stated audit areas and controls

In case Infrastructure Audit is selected by the Buyer as part of technical specifications, the following shall be applicable:

i. Service Provider shall undertake audit for physical and IT infrastructure including verification of completeness of inventory and asset bill of material.
ii. Service Provider would define and audit the control points for inventory audit
iii. Service Provider shall appraise the Buyer about the health of the components through reports indicating the capacity utilization and corresponding scalability requirements.
iv. Service Provider shall audit the consumables such as Electricity, Diesel, Bandwidth cost etc.
v. Service Provider shall include recommendations to the Buyer for capacity planning and upgrades as per the requirements of the Buyer
vi. Service Provider shall also cover obsolescence of the physical and IT infrastructure as per the policy defined by the Buyer. The audit report shall provide details of the infrastructure components that are due for obsolescence and provide recommendations for upgrade /refresh of infrastructure components and plan for disposal of obsolete infrastructure components.
vii. Service Provider must submit an Inventory audit report including executive summary, checklist and compliance

In case Operations, Management Process and Control Audit is selected by the Buyer as part of technical specifications, the following activities shall be applicable:

i. The Service Provider would audit the overall Physical and IT infrastructure management processes as per ISO 20000 framework including Monitoring, Maintenance and Management of the entire infrastructure, along with providing Helpdesk services and provide recommendations
ii. The Service Provider would review and analyze the services being provided to various stakeholders and submit a report with recommendations to the Buyer. It would review the Change Management, communication plan, configuration management, availability management, service level management, facility management, backup procedures etc to ensure proper processes are in place for operation and maintenance.
iii. Audit the capacity and utilization plan and identify gaps
iv. Audit the exit process of the current service provider with keeping the transition processes and timelines in mind.
v. Audit the process and controls followed by the service provider
vi. Service Provider must submit an Audit report related to processes followed by the System Integrator 

In case SLA Monitoring Audit is selected by the Buyer as part of technical specifications, the following shall be applicable:
i. Service Provider will review and monitor the performance with reference to the SLAs defined for the current system integrator  
ii. Service Provider shall review the SLA performance and compute penalty, if applicable
iii. Service Provider shall review the existing helpdesk procedures and submit a report with recommendations to the Buyer. Helpdesk must be implemented in line with ITIL leading practices for service delivery and must necessarily be integrated with management systems for ensuring 360° functionality including monitoring and managing
iv. Service Provider must submit an SLA audit report highlighting the conformance/ deviation with the SLAs and recommend penalties

In case Security and Compliance Audit is selected by the Buyer as part of technical specifications, the following shall be applicable:

i. Service provider shall perform security audit as per the guidelines issued by the
Govt. of India, review the information security policy, and provide recommendations to the Buyer to ensure integrity, confidentiality and availability of information and resources.
ii. Service provider would review the security measures being followed to ensure that the application is free of vulnerabilities at the time of hosting.
iii. Service provider shall conduct the vulnerability assessment & penetration testing on the identified components
iv. Prepare Guidelines and Procedures for conducting Internal Audits of ISMS as per the requirements of ISO 27001 and conduct internal audits for Security. 
v. Service Provider must submit a Security Audit report which identifies all vulnerabilities, evaluation of potential risks, prioritization of risks. 

5. Terms and Conditions

5.1. Buyer’s Obligations

i. The Buyer shall nominate a nodal officer from its organization to coordinate with the service provider to facilitate approvals, sharing of data etc. 
ii. The Buyer agrees to promptly provide service provider with Information, resources and assistance (including access to records, systems, premises and people) that service provider reasonably requires to perform the Services such as 
a. Credentials for every user role would be provided to service provider
b. Network infrastructure diagram and Data Flow details.
c. In case of testing of web applications, Buyer shall provide the number of dynamic pages and number. of modules. Buyer shall provide the device model and vendor name for all devices and OS versions. For audit activities related to network, the Buyer shall indicate the number of IP Addresses.  For OS, the version will be specified, and super admin credentials of OS may also be provided to service provider for testing purpose. 
d. For security code review, Buyer shall indicate the language and number of lines of code.
iii. The Buyer shall notify the Service Provider of any dishonest, wrongful or negligent acts or omissions of the Service Provider ’s employees or agents in connection with the Services as soon as possible after the Buyer becomes aware of them.
iv. It is advisable to include Price Variation Clause in the long-term contracts to take care of the increase/decrease in prices of various ingredients which majorly affect the overall price of the service. Buyers are therefore advised to include the Price Variation Clause (PVC) in the bid document through ATC for long term contracts. The additional payment, if any, on account of PVC can be done offline till such time online functionality is developed on GeM

5.2. Service provider’s obligations

i. Service provider will be required to follow guidelines provided in Guidelines for CERT-In Empanelled Information Security Auditing Organizations Version 3.0 or any latest versions as updated by CERT-In.
ii. Service provider shall undertake confirmatory re-testing for identified gaps in critical applications to ensure that the identified gaps have been successfully closed. 
iii. For closure of identified gaps in all internet facing applications and Infrastructure components, External Black Box Penetration Testing shall be done followed by confirmatory testing to ensure closure of such identified gaps.
iv. Mandatory security testing shall be conducted in case of all applications and related infrastructure components so as to check for known vulnerabilities once initially and again whenever major changes in internet facing applications and related infrastructure components take place.
v. Service provider shall provide interim and final report summarising the test findings along with severity scoring, findings from re-testing, limitations of testing etc
vi. If required by the Buyer, Service Provider will undertake user awareness and training workshops as per contextual requirement of the Buyer. 
vii. The Service Provider will treat as confidential all data and information received from the Buyer and obtained in the execution of its responsibilities under this Contract/ Agreement, in strict confidence and will not reveal such information to any other party without the prior written approval of the Buyer.
viii. The Service Provider shall at all times ensure that the services being provided under this Contract/ Agreement are performed strictly in accordance with all applicable laws, orders, byelaws, regulations, rules, standards, guidelines, recommended practices etc including guidelines issued by Ministry of Information and Technology (MeitY) from time to time
ix. The Service Provide will deploy such personnel with adequate qualification, experience and certifications to carry out activities as per scope of work. On request of the Buyer, Service Provider maybe required to furnish documentary evidence for the same. 
x. The Service Provider will treat as confidential all data and information received from the Buyer and obtained in the execution of its responsibilities under this Contract/ Agreement, in strict confidence and will not reveal such information to any other party without the prior written approval of the Buyer.
xi. All the software, hardware equipment like laptops, tools etc to carry out the assignment has to be arranged by the Service Provider. Any, travel cost to different locations of the Buyer shall also be met by the Service Provider unless specified otherwise by the Buyer. 
xii. Service Provider will use audit tools and any other resources that are licensed and not the trial versions. In case of the same is of open-source tools, Service Provider should ensure that there is no risk to Buyer and its IT assets. 
xiii. Service Provider should disclose the details of automated tools used for accomplishing the scope of work and must have the valid license of the same. 
xiv. Service Provider will sign a Non-Disclosure agreement with Buyer in the format specified by the Buyer. 
xv. The Service Provider shall at all times ensure that the services being provided under this Contract/ Agreement are performed strictly in accordance with all applicable laws, orders, bye-laws, regulations, rules, standards, guidelines, recommended practices etc 

6. Service Formula
Lump sum value will be quoted by the service provider.

7. Payment Schedule

i. The Payment Procedure shall be as specified in the General Terms and Conditions of GeM. 
ii. Payment schedule to be as per payment terms specified in bid document. 

8. SLAs and Deductions 
Unless specified otherwise by the client, the following SLAs and corresponding deductions will be applicable.