bank muscat Version 8.

Ref. CPD-RFP 25/20

Request for Proposal

For

Patch Management Enterprise Solution

BM/CPD/RFP Confidential Page 1 of 22

bank muscat Version 8.0

Document Revision History

Version Release Author Review Approver Revision History

No Date er
8.0 01.04.2016 Fasal Deepak First paragraph changed o place bank
summarized status as on 2015 end.
NDA document changed as per legal
advice. Few minor corrections for
incorporating generic department name
etc. so that appropriate user department
name can be placed.

BM/CPD/RFP Confidential Page 2 of 22

bank muscat Version 8.0

Request for Proposal

1) Introduction

With assets worth over USD 32.5 billion, bank muscat is the leading financial services provider in Oman
with a strong presence in Corporate Banking, Retail Banking, Investment Banking, Islamic Banking,
Treasury, Private Banking and Asset Management. The Bank has the largest network of 151 branches,
700 ATMs, CDMs & FFMs and more than 17000 PoS terminals. The international operations consist of a
branch each in Riyadh (Kingdom of Saudi Arabia), Kuwait and a Representative Office each in Dubai
(UAE) and Singapore.

1.1) Background Information for Vendors

Bank Muscat is requesting to procure an enterprise patch management solution that has the capability to fix
vulnerabilities on windows and non-windows platforms. Apart from OS vulnerabilities, the tool should
support fixing third party software vulnerabilities, mobile device vulnerabilities, Wake on LAN feature,
software distribution, operating system deployment, software / hardware inventory, switches /routers
related vulnerabilities and enhanced reporting capabilities.

2) Objectives & Requirements

2.1) Objectives

The Objective of the patch management solution is to fix vulnerabilities in a seamless manner for both
operating system and third party software and network routers /switches and to have a complete centralized
control and operation suite for the proposed patch management solution.

2.2) Requirements

The following are the detailed functionality requirements from the bank, and the vendor must provide
detailed response with appropriate supporting evidence for the below mentioned items.

# Description Vendor response

Patch Management Enterprise Solution
1. All proposed solutions should be consolidated and integrated within
the single management console.
2. Should have the capability of LDAPS integration with AD for user
authentication.
3. Should have the capability to support external authentication and
multi-factor authentication.
4. Should have customizable dashboards.
5. Should have the capability to integrate with IBM QRADAR SIEM and
service desk solution.

BM/CPD/RFP Confidential Page 3 of 22

bank muscat Version 8.0

# Description Vendor response

6. Should have the capability to set custom privileges, profiles and
groups.
7. Should have custom and predefined profiles of (action, scan, update,
policy deployment, health check) for integrated/consolidated
solutions as (one system, group, globally) that can be performed
manually or automatically.
8. Should have the capability to generate and email reports
periodically.
9. Should have the capability to deploy patches to database like SQL,
Oracle, Postgress etc.
10. Should have Audit tracking logs.
11. Should have the capability to remotely deploy and push policies to
the endpoints.
12. Patch Management dashboard should have statistical and visual
monitors.
13. Should have the capability to log actions generated by users and
actions automatically generated by the solution.
14. Should have the capability to log all user changes.
15. Should have the capability to generate reports per specific managed
host, users, group, and agent version.
16. Identify unmanaged assets in the environment and deploy agents
automatically.
17. Should have hardware and software inventory management.
18. Should have software packaging and/or distribution feature.
19. Should have diagnostics and remote management tools
20. Should have Remote Management Console (MMC/Windows)
21. Multiple operating systems support (Microsoft/UNIX/Linux/Mac)
22. Should have Power management feature.
23. Should support operating system deployment.
24. Should support Mobile device patch /firmware deployment.
25. Should support network devices patch / firmware deployment.
26. Should have Wake on LAN (WOL) support, where it can wake the
machine, wait for it to complete booting, and then patch it.
27. Should have WOL relays support
28. Should have Automated download of critical and recommended
patches
29. Should support TLS 1.2 or higher.
30. End-user notification/action on deployments and reboots
31. Patch assessment and remediation
32. Patch/software/configuration baselines
33. Secure, flexible content delivery.
34. Bandwidth throttling to suit delivery over slow WAN links.

BM/CPD/RFP Confidential Page 4 of 22

bank muscat Version 8.0

# Description Vendor response

35. Ability to define custom patch lists.
36. Integrated client (agent) deployment tool.
37. Should support patch relay servers (cache/staging servers)
/distribution points.
38. Multiple 3rd-party application software packaging and/or
distribution support.
39. Flexible assessment and deployment options
40. Solution covers security patches
41. Solution covers non-security patches
42. Solution supports creation of custom patch lists
43. Software metering / usage of application. Should provide historical
and real time data.
44. Should support deployment of security baselines to endpoints.
45. Centrally configure Windows Power Plans
46. Ability to push the updates/patches only during specific timeframes
(off-peak hours).
47. Ability to start installing the updates/patches at a specific time of the
day and on specific day of the week.
48. Ability to run specific commands or batch files before initiating the
installation of the updates/patches, e.g. to stop certain services etc.
49. Ability to install updates/patches in a silent mode, where no user
interaction is required, user is not interrupted, and without
displaying any message boxes.
50. Ability to run specific commands or batch files after completing the
installation of the updates/patches, and restarting the machines.
51. Should have comprehensive reports, on-demand, to show
compliance of the machines compared to approved updates and
patches.
52.
53.
54.

BM/CPD/RFP Confidential Page 5 of 22

bank muscat Version 8.0

2.3) General Instructions

1. Addendum to the Request For Proposals

In the event that it becomes necessary to revise any part of this Request for Proposals, addendum
will be provided.
2. Evaluation of Proposals
An indicative but not exhaustive list of the criteria for evaluation of the proposals is given below.
The proposed solution shall meet the primary objectives of the Bank listed in Section-3 of
this Request for Proposals in the most cost-effective manner.
The vendor shall be well established and have a proven track record in executing projects
of this nature.

The Bank reserves the right to reject any or all proposals and to waive informalities in the proposal
process without assigning any reason. The Bank do not intend to enter into an agreement solely
on the basis of a submitted proposal or otherwise pay for the information solicited or obtained.
Subsequent procurement, if any, will be in accordance with appropriate contractual action.
Noncompliance with any condition of this proposal may result in Vendor being disqualified.

3. Independent Contractor
On award of the Contract, the vendor shall confirm acceptance of the work in writing and shall
complete the work in accordance with the Banks standard terms and conditions and under those
terms, which are specific to this project.

The vendor shall not re-assign the work to any third party by way of subcontracts without the
express permission of the Bank in writing.

The vendor shall submit the list of Certified Engineers/Personnel with their CVs who would be
carrying out the work on award of the Contract. The Information Security department will issue
an authorization letter under those names for their access to the Bank premises for the execution
of the assigned work.

Once the bank accepts the design and solution document proposed by the vendor, the vendor
shall be responsible to implement the same without any additional cost to the bank

BM/CPD/RFP Confidential Page 6 of 22

bank muscat Version 8.0

4. Royalties and Patents

The Vendor shall pay royalties and license fees and defend all suits resulting from claims for the
same on all software, materials, and equipment purchased outright or leased and installed by
them to bank according to the specifications of the Bank.

3) Scope of Work for Vendors

Requirements detailed above at 2.2. While the intent is to consolidate all the above requirements with
one technology. However, Vendor may submit proposals with a strategy to fulfill all the requirements
with the minimum number of technologies.

4) Cost of the proposed solution

The vendor shall submit a detailed financial proposal with a break up of costs.

Prices quoted shall be inclusive of all Taxes, Travel, Stay, Visa what so ever payable by the Vendor.
The Bank is not liable to pay any other costs, which are not included in the proposal. Any taxation
liability of bank should be clearly communicated in cost proposal

Any Payment required to be withheld under the Law by the Bank and paid to the Government shall
be deemed to have been paid to the Vendor.

The Bank shall not be liable for any costs incurred by the Vendor in preparing or submitting a
proposal to the Bank.

5) Validity

Instruction to the vendor: The commercial terms and conditions mentioned in the proposal should be
valid for a minimum period of 60 calendar days.

6) Warranty

H/W warranty is for 1 Year and 90 days for S/W

BM/CPD/RFP Confidential Page 7 of 22

bank muscat Version 8.0

7) Maintenance

The gene al e m fo a an i ha he endo hall bmi a d af main enance con ac , hich hall
include spares (in case of H/W) and labor at zero cost to the bank during the warranty period. The terms
for maintenance of S/W shall be specified by he endo .

8) Banks responsibility
The Bank reserves the right to accept or reject any proposal or any item or items proposed by the vendor
a he Bank ole di c e ion i ho a igning an ea on .
Bank Information Security Department will review and deliverables at each Phase and approve for
acceptance before moving forward to the next stage.

The bank will assign a Project manager for the duration of the project and till the work is completed and
handed over to the Information Security Department, all correspondence relating to this project shall be
communicated to the bank through this contact point.

9) Vendor responsibility
On award of the Contract, the vendor shall confirm acceptance of the work in writing and should
complete the work in accordance with the Banks standard terms and conditions and under those terms,
which are specific to this project.

The vendor should not re-assign the work to any third party by way of subcontracts without the express
permission of the Bank in writing. Except the Bank Re pon ibili ie a ci ed cla e 8 abo e, the Vendor
shall ensure to cover all and every aspect of the project to complete it in its entirety.

The vendor shall submit the list of Certified Engineers/Personnel who would be carrying out the work
on award of the Contract. The Information Security department will issue an authorization letter under
those names for their access to the Bank premises for the execution of the assigned work.

Vendo ill info m he bank if an of he Bank emplo ee i ela ed o bank aff. The ill al o info m
he bank e plici l if an of he bank m ca emplo ee ha an direct or indirect interest in the vendor
compan affai .

10) Deliverables

The technical solutions must meet all our requirements as specified in 2.2

BM/CPD/RFP Confidential Page 8 of 22

bank muscat Version 8.0

11) Escalation Procedure

On award of the Contract, the vendor shall endeavor to complete the Project as per the mutually agreed
schedules with in the stipulated time. Any difficulties identified by the vendor, which would have an
effect on the target date for completion of the assigned tasks, shall be brought to the attention of the Head
Information Security)

12) Confidentiality

The Vendor shall agree that they shall not disclose or duplicate any information received from the Bank
as a part of the project requirements to any third party unless the Bank specifically authorizes such
disclosure or duplication in writing. The vendor would be required to sign an NDA in this regard.

13) Indemnification

Vendor shall agree to defend, indemnify, and hold harmless the Bank, its officials, officers, employees,
agents and volunteers from any and all claims, actions, judgments, losses, costs (including personnel
related costs, reasonable attorney's fees and all other claim related expenses) and damages whatsoever,
including but not limited to claims made upon the Bank arising by reason of accident, injury, or death to
any person, to Vendor or to Vendor's agents, employees, servants and all subcontractors or by reason of
injury to property arising out of or in connection with work performed under the contract, except upon
a finding of a tier of fact that such loss was caused by the sole negligence of the Bank. This promise of
indemnity shall specifically apply in the case of injuries to Vendor's own employees.

14) BankMuscat Contact point

Proposal Related Gopal Naidu 24768002 GopalNaidu@bankmuscat.com

Technical queries on Nasser Al Mahmoodi 24768998 nasserha@bankmuscat.com
the scope

BM/CPD/RFP Confidential Page 9 of 22