Request for Proposals: CGIAR Cyber Security Review (Deadline April 14)
What we are seeking:
CGIAR Internal Audit Function (IAF) seeks the services of a consultant to perform a Cyber Security assurance engagement across the CGIAR System exploring the following aspects focusing on highlighted areas:
Cybersecurity risk and compliance (compliance monitoring, issue and corrective action planning)
Security program (security strategy, policy, governance, exception management, shadow IT)
Third-party management (evaluation and selection, on-going monitoring)
Identity and access management (account previsioning, privileged user management)
Threat and vulnerability management (threat modelling and intelligence, penetration testing)
Data management and protection (data classification and inventory, breach notification management), see the note at the end of this section
Risk analysis (information gathering and analysis)
Crisis management and resiliency (recovery strategy, policy and procedures, recovery testing)
Security operations (change control, configuration management, security architecture)
Security awareness and training (security training, security awareness, third-party responsibilities).
The IT operations within CGIAR are largely segregated with each CGIAR entity (i.e. CGIAR Centers and the CGIAR System Organization in this document) being responsible for establishing independent IT security policies and safeguards to protect the respective CGIAR entity’s information assets against increasingly sophisticated cyber-attacks. The ICT shared services governance charter provides the guiding principles of the collectively managed ICT systems including Active Directory, Office 365 which incorporates a hosted Exchange Server and SharePoint, an internal collaboration tool.
In 2020 CGIAR System IAF will also perform a data management maturity assessment. The synergy between the cyber security and the data management maturity assessment will be highly desirable.
Deliverables and timeline:
The engagement’s output will be a report presenting a combined assessment of cyber security arrangements across CGIAR, discussed and shared with all CGIAR Center cybersecurity focal points and ICT leaders, Center AC Chairs, Center Heads of Internal Audit and SMB’s Audit and Risk Committee, offering insights and practical solutions to address identified vulnerabilities.
Your response to this request for proposals should be prepared in accordance with the following Table of Contents:
No on-site visits are envisaged as part of this review; all work will need to be carried out remotely.
Virtual consultations are expected to be undertaken by Skype and/or through a www.bluejeans.com portal. Access to the latter will be facilitated by the CGIAR System Organization.
Consultants are responsible for all tax liabilities arising from this assignment.
Consultants are responsible for securing their own insurance arrangements.
Scope of work:
The scope of this RFP includes 15 CGIAR Centers and the CGIAR System Organization. The consultant will employ a phased approach to perform the engagement as follows:
- Understand the institutional context and assess potential cyber risk and vulnerabilities across CGIAR computer systems, applications and network infrastructure.
- Review, analyze and independently validate results of relevant assurance activities (i.e. cyber security assessment, penetration tests, simulated phishing attacks) carried out in the past two years by CGIAR Center IT functions, Internal Audit teams and the CGIAR System IAF.
- Review IT policies to assess adequacy of design of the controls to mitigate against cyber security risks and vulnerabilities.
- Assess IT security strategy, governance, culture, organizational structure and systems.
- Considering part 1 – 4, perform a gap analysis comparing CGIAR cyber security capabilities against security best practices like NIST, COBIT 5 or ISMS ISO27002 framework.
- Report on CGIAR cyber security assessment and present the findings including:
- Prioritized options including estimated costs of mitigation solutions to address identified vulnerabilities / deficiencies
- Optimal structure and resource requirement to implement mitigation solutions and ongoing support
- Security improvement roadmap including future considerations that would benefit all entities within CGIAR in the context of organizational changes
- Proposal of targeted reviews and penetration tests based on the results of the risk assessment.
Phase 2 – The scope of phase 2 will be informed by the outcome of the Phase 1 and could potentially include:
Internal and external penetration testing for selected CGIAR Centers’ applications and / or infrastructure.
Phishing simulation to employees at targeted CGIAR entities to verify their security awareness, potentially using CGIAR security awareness platform.
The following schedule includes key milestones and their associated completion dates and is provided primarily for planning purposes. CGIAR System Organization may modify the project timeline at its discretion.
Knowledge, skills, and abilities:
The applicants must demonstrate prior experience and technical knowledge of conducting similar reviews within a context of a complex international organization with distributed structures.
All proposals will be evaluated on a two-step basis with the technical proposals and the financial proposals being evaluated separately to determine the best value for money. Bidders whose proposals are short-listed may be contacted with questions for clarification.
The evaluation criteria will be as follows:
- Technical Proposal 80% and includes:
- Quality and completeness of the quote response 10%
- Quality of the proposed service 30%
- Strategic, functional, and technical fit 10%
- Experience with similar engagements 20%
- Customer service 10%
- Financial proposal
Total cost of service 20%
How to submit a proposal:
Please submit a narrative proposal and a budget proposal as two separate documents to firstname.lastname@example.org. Both documents can be attached to the same email.
Narrative proposal will consist of no more than 20 pages using Microsoft Word or similar format, font size 11pt., margins no smaller than one inch.
Budget proposal will be presented using Microsoft Excel or similar format and consist of, at a minimum, the following line items: consultant time, resources, travel. The budget will be presented in US dollars.
All proposals must be received no later than April 14, 2020. Only electronically submitted proposals will be considered. Late proposals will not be considered. Shortlisted bidders will be contacted no later than 10 April 2020.
Who we are:
CGIAR is a global research partnership for a food-secure future. CGIAR science is dedicated to reducing poverty, enhancing food and nutrition security, and improving natural resources and ecosystem services. Its research is carried out by 15 CGIAR Centers in close collaboration with hundreds of partners, including national and regional research institutes, civil society organizations, academia, development organizations, and the private sector. These 15 Centers have close to 10,000 staff based in over 50 countries.
Each Center has its own charter, board of trustees, director general, and staff. CGIAR Research Centers are responsible for hands-on research programs and operations guided by policies and research directions set by the System Management Board.
The System Management Board, through its Audit and Risk Committee has an oversight responsibility over CGIAR System risks. The CGIAR System Internal Audit Function (IAF) is responsible for providing assurance on System risks and reports to the Chair of the System Management Board through the Audit and Risk Committee.
In 2020, CGIAR is embarking on an ambitious reform, One CGIAR that would help streamline governance and operational structures and processes across CGIAR. More information can be found here.
The CGIAR System Organization, which is an international organization headquartered in Montpellier, France, provides governance to the CGIAR System in collaboration with the System Council and has about 40 staff. The Organization is committed to cultivating a work environment that reflects teamwork, gender equality, and respect for diversity. We endeavor to foster a multi-cultural environment that is free of any form of harassment and discrimination; and that embraces and values individuals regardless of age, ethnicity, race, gender, national or social origin, marital status or any other form of personal identity.
Please find more information about CGIAR at www.cgiar.org.