TERMS OF REFERENCE

ARCHITECTURAL DESIGN, CONFIGURATION, IMPLEMENTATION AND

DOCUMENTATION OF IT SECURITY

The Fund operates under one office location, with all staff provided with devices such as
Laptops, desktops, smartphones and tablet, while operations are supported by an
Enterprise Resource Planning System hosted both locally and on the Cloud. The internal
communication is via IP telephony, interconnected via a LAN environment. The servers
run on both windows and Linux environment, with the users allocated resources to be
accessed via VLANs and credentials managed through AD. The public access information
via the Fund’s portal with a few services provided online.

The Fund intends to engage a qualified service provider to analyze, design, configure and
implement and perform a security and architecture audit of the entire application,
networks, devices, and other operational aspects of the Fund’s digital setup.

2. OBJECTIVE:

The service provider is expected to ensure 100% functional security framework and
infrastructure at KDIC and that all users can access IT resources securely.

3. SCOPE OF WORK

The Contracted service provider will develop an IT security framework for KDIC which
includes, Systems Security, Infrastructure, Internet, Information access and users’ rights
management. The security solution is expected to address compliance requirements on
day- to-day operation risks, and protection of information resources. The final product is a
computer security framework for KDIC and a plan of implementation.

Key Tasks:

The purpose of this assignment is to provide an independent evaluation of Applications,

Database, Server Architecture and Network infrastructure to identify any gaps in systems
and an adequate IT security framework in accordance with best practices of industrial
Enterprise Architecture Framework. The scope would include assessment of applications,
security settings, server, Network and associated IT infrastructure. The main goals of the
security audit are the following:
 State of affairs report: To review the overall application and network technical
design and deployment with a view to determining whether these designs are fit
for purpose and what gaps and holes exist within these designs and deployments.
 Application software architecture review: To provide assurance that the technical
architecture of the KDIC, Supervisor and other operational and ancillary
applications meet the current and future needs of the organization. The auditor
must assess control and authorizations, error and exception handling, business
process flows within the application software and complementary controls
(enterprise level, general, application and specialist IT control) and procedures and
validation of reports (both operational and financial) generated from the system.
  Network architecture and security review: Given that the environments that Living
Goods operates in possess different policy frameworks dictating the storage and
transmission of healthcare and financial data, we are keen to have the consultant
perform a network and data transmission security audit to outline the threats and
gaps that are presented by this. The aim of this audit is to provide assurance that
the components of our deployments (databases, web and application servers, cache
systems, along with other systems) are fully secure and are corresponding to the
controls objectives of the control system. Review of internal and external
connections to the system, perimeter security, firewall review, router access control
lists, port scanning and intrusion detection are some typical areas of coverage.
 Data integrity review: To provide assurance that the database design and structure
provides the best possible design for the organizational needs and corresponding
application and future integration needs. The purpose is the scrutiny of live data to
verify adequacy of controls and impact of weaknesses, as noticed from any of the
above reviews.
 Business continuity review: The review includes existence and maintenance of fault
tolerant and redundant hardware, backup procedures and storage, and
documented and tested disaster recovery/business continuity plan, effectiveness of
disaster recovery plan, as well as ensuring existence of well-defined I.S Audit
manual and its compliance thereon.

4. DEVELOPMENT STRATEGIES

The Contractor shall develop a set of computer security program details or strategies to
include the following at a minimum.

o personnel security strategy;

o end user computing strategy;

o application systems security strategy; and

o information technology installation security strategy.

For each strategy, the Contractor shall develop draft policies, procedures, and standards.
The Contractor shall prepare documents for each strategy incorporating the above
elements.
4.1 Develop a Personnel Security Strategy

The Contractor shall develop a personnel security strategy. The strategy shall address
policies, procedures, and mechanisms for disseminating information on security
awareness and training, automated information access control, and accountability of
operations.

The Contractor shall coordinate with the KDIC personnel office and the data security
office. This is done to ensure the developed strategy is consistent with KDIC policies and
procedures on position sensitivity classification, personnel security screening, and
information confidentiality. The Contractor shall ensure the strategy applies to all
employees and Contractor personnel whose duties involve accessing the computer system,
system design, development or maintenance, or handling of sensitive information in
hardcopy or computerized form.

4.2 Develop an End User Computer Security Strategy

The Contractor shall develop a computer security strategy specifically addressing end
users. This strategy shall include the necessary degree of protection according to the
sensitivity of the information maintained and processed by the user.

As a minimum, the end user computer security strategy shall cover:

o data and system integrity;

o confidentiality of data;
o access control and accountability;
o separation of duties;
o computer security awareness and training ;
o availability of service and continuity of operations; and
o auditability of operations.

4.3 Develop an Application Systems Security Strategy

The Contractor shall develop an application systems security strategy. The strategy shall
address the safeguards required due to the nature of the data processed. A key
consideration is the risk and size of loss or harm that could result from improper operation
or deliberate manipulation of the application.

The following security and control features shall be included in the strategy at a minimum:

o auditability;
o isolation;
o controllability;
o recoverability;
o sensitivity;
o identification;
o survivability;
o availability;
o integrity and
o confidentiality;

4.4 Develop an Information Technology Installation Security Strategy

The Contractor shall develop an information technology installation security strategy. This
strategy shall include conducting risk analyses and ensuring disaster recovery/continuity
of operations planning for KDIC ADP facilities and contingency planning for KDIC
application systems. This strategy shall address KDIC's unique distributed processing
environment, network, and information sensitivity needs. Included in the strategy shall be
an identification of critical systems and applications. It will also cover risk analysis

methodologies and techniques and alternative processing strategies. The strategy shall
address the following at a minimum:

o individual accountability
o reliability of service
o separation of duties
o continuity of service
o recoverability
o confidentiality of data
o resource protection.

5. Responsibilities:

A comprehensive Digital Applications, Information Systems Security Audit must be

undertaken covering various key processes and procedures undertaken at multiples sites:-

 Penetration testing and Vulnerability assessment

 Application software architecture analysis
 Scaling and expansion options and policy framework
 Data integrity audit
 Security& Privacy policies
  Business continuity assessment
 Change Management procedures
 Logical Access Controls
 User Management and Security audit
 Performance, Scalability and Availability audit
 Consistency with requirement Specification audit
 Incident management
 Backup practices
 Software Document Management

6. Minimum qualifications and experience:

 Technically sound. The lead security expert must have a university degree in
information and communication technology or computer science. Must have 5+
years of experience implementing large-scale projects, as well as providing
technical assistance to government/Agencies.
 Stakeholder Management. You understand how national stakeholders operate and
can corelate expectations of the key players i.e. government staff, implementing
partners, donors, etc. in digital and/or community health. You are well versed with
the stakeholder landscape, coordination norms, and decision-making protocol to
ensure efficient alignment.
 Articulate. Must be fluent in written and spoken English. You have excellent
communications skills, both orally and written, for policy briefs, PowerPoint
presentations, et cetera.
 Analytical. Must have exceptional analytical skills. Must possess critical thinking
skills to enable troubleshooting in unpredictable environments.
 Adaptable. Must be eager to work with people of different technical backgrounds:
the private sector, social entrepreneurial sector, non-profit sector and public health
community. Must have proven ability to contribute and to succeed in a fast-paced
setting that requires independent thinking. Must be solution oriented.
 Project management master. must be disciplined, methodical, and organized. Must
be detail-oriented in knowledge management and information systems, from email
to other backup folders/sites.
  Team player. Must play well with others and enjoy seeing the impact of our work
as a team.
 Multitasker. Must be able to juggle multiple tasks at once while ‘keeping calm and
carrying on.’ must think strategically, handle ambiguity, and work well in a
multicultural environment.

7. DELIVERABLES

The consultant will be required to provide following deliverables:

 State of affairs report

 Application software architecture audit report
 Data integrity audit report
 Business continuity audit report
 Network security audit report
 Backup practices report
 Inception report
 Draft Gap Analysis report, with recommendations, and
 Final Comprehensive report
 Work Plan Development
 Computer Security Program Structure Report and Policy Statement
 Personnel Security Strategy
 End-User Computer Security Strategy
 Application Systems Security Strategy
 Information Technology Installation Security Strategy

Review Data Security

The Contractor shall examine sensitive and critical databases and files. The Contractor
shall develop a list for review of data security techniques and methods, which, at a
minimum, shall include:

o access control, integrity controls, and backup procedures:

o data element documentation:
o sensitive data procedures and implementation.
o existing privacy policies and protections:
o data access (both the authorization and implementation):
o application software and how applications are moved into production;
o written user responsibilities for management of data and applications; and
o direct access storage device (DASD) management techniques and the

Review Operating System Security

The Contractor shall examine the specific operating system. This examination shall, at a
minimum, include:

o review of the operating system and its installation;

o backup and restore procedures;
o review of system exits;
o verification of audit trails;
o review of handling and availability of system logs;
o identification of change control procedures (installation of new software releases);
o check for procedures which ensure that software patches are kept current;
o review of installation for integrity;
o review interfaces to access control package (if installed);
o identification of primary access control software and files and procedures for
ensuring that all software runs under its control;
o review of access authorizations for appropriateness and completeness; and
o review of interfaces with the access control package for integrity.
Review Application Software Security

The Contractor shall review the system development life cycle (SDLC) used to manage
application development and maintenance. This review shall minimally include:

o methods for developing and documenting application controls;

o adherence to SDLC:
o a review of quality assurance and testing procedures;
o change control procedures for corrections and enhancements;
o check for procedures which ensure that software patches are kept current;
o system documentation and security standards and adherence to both; and
o application operation and access to applications.
The contractor shall develop a report on KDIC personnel security policies and procedures
covering such elements as position sensitivity classification, personnel security screening,
information confidentiality, and security training and awareness. The report shall address
whether the policies and procedures cover personnel in all positions with access to
sensitive data.

Review Network Security

The Contractor shall review network security, evaluating its confidentiality, integrity, and
availability. This review shall include, as applicable, access control, authentication,
security administration, type and security of network media, security of file and print
servers, encryption, interfaces between network and operating system/application
software security modules, and conformance to networking standards.

Program Implementation Report

The Contractor shall develop a program assessment report which summarizes overall
security compliance. The report shall detail major security weaknesses requiring
correction and potential savings. It shall provide a summary of each area by: area
reviewed, findings, impact of weaknesses in security (if any), and recommendations of
actions that could be taken by management (if any). The report shall also identify those
areas requiring more detailed study.

8. EVALUATION CRITERIA:

The evaluation criteria for evaluation of the proposal will be as mentioned below:

 Work experience in a Consulting Firm

o General Experience
o Special Experience
 Qualification and Experience of Manpower
o Team Leader
o IT Expert
 Methodology of Job accomplishment and work plan
 Knowledge Transfer
 Understanding of TOR