Security Audit Terms Of Reference (TOR) at Living Goods

Background

Living Goods empowers community health workers (CHWs) with tools that enable them to save lives within communities. Living Goods works with governments and MoH across the developing world to define, entrench and operationalise community health systems which directly benefits members of communities.

As part of this work, Living Goods has worked with its partners to provide smartphone and tablet apps that enable CHWs to collect information on people within catchment areas, document disease prevalence as well as perform digitally assisted diagnoses and dispense drugs to people in the community.

Given the sensitive nature of healthcare information, Living Goods would like to retain the services of an enterprise software architect to perform a security and architecture audit of the entire application, networks, devices and other operational aspects of its digital healthcare product setup.

Key Tasks

The purpose of IT security audit is to provide an independent evaluation of Applications, Database, Server Architecture and Network infrastructure to identify any gaps in systems and an adequate IT security framework in accordance with best practices of industrial Enterprise Architecture Framework. The scope would include assessment of Living Goods' applications, security settings, server, Network and associated IT infrastructure. The main goals of the security audit are the following:

• State of affairs report: To review the overall application and network technical design and deployment with a view to determining whether these designs are fit for purpose and what gaps and holes exist within these designs and deployments.
• Application software architecture review: To provide assurance that the technical architecture of the SmartHealth, Supervisor and other operational and ancillary applications meet the current and future needs of the organization. The auditor must assess control and authorizations, error and exception handling, business process flows within the application software and complementary controls (enterprise level, general, application and specialist IT control) and procedures and validation of reports (both operational and financial) generated from the system.
• Network architecture and security review: Given that the environments that Living Goods operates in possess different policy frameworks dictating the storage and transmission of healthcare and financial data, we are keen to have the consultant perform a network and data transmission security audit to outline the threats and gaps that are presented by this. The aim of this audit is to provide assurance that the components of our deployments (databases, web and application servers, cache systems, along with other systems) are fully secure and are corresponding to the controls objectives of the control system. Review of internal and external connections to the system, perimeter security, firewall review, router access control lists, port scanning and intrusion detection are some typical areas of coverage.
• Data integrity review: To provide assurance that the database design and structure provides the best possible design for the organizational needs and corresponding application and future integration needs. The purpose is the scrutiny of live data to verify adequacy of controls and impact of weaknesses, as noticed from any of the above reviews.
• Business continuity review: The review includes existence and maintenance of fault tolerant and redundant hardware, backup procedures and storage, and documented and tested disaster recovery/business continuity plan, effectiveness of disaster recovery plan, as well as ensuring existence of well-defined I.S Audit manual and its compliance thereon.
   

Responsibilities

A comprehensive Digital Applications, Information Systems Security Audit must be undertaken covering various key processes and procedures undertaken at multiples sites:-

• Penetration testing and Vulnerability assessment
• Application software architecture analysis
• Scaling and expansion options and policy framework
• Data integrity audit
• Security& Privacy policies
• Business continuity assessment
• Change Management procedures
• Logical Access Controls
• User Management and Security audit
• Performance, Scalability and Availability audit
• Consistency with requirement Specification audit
• Incident management
• Backup practices
• Software Document Management
   

Deliverables

The consultant will be required to provide following deliverables:

• State of affairs report
• Application software architecture audit report
• Data integrity audit report
• Business continuity audit report
• Network security audit report
• Backup practices report
• Inception report
• Draft Gap Analysis report, with recommendations, and
• Final Comprehensive report
   

Minimum Qualifications And Experience

• Technically sound. You have a Masters-level degree in public health, international development, and/or university degree in information and communication technology or computer science. You have 5+ years of experience implementing digital health or large-scale projects at global level, as well as providing technical assistance to government, donors and/or implementing partners.
• Stakeholder Management. You understand how national stakeholders operate and can corelate expectations of the key players i.e. government staff, implementing partners, donors, etc. in digital and/or community health. You are well versed with the stakeholder landscape, coordination norms, and decision-making protocol to ensure efficient alignment.
• Articulate. You are fluent in written and spoken English. You have excellent communications skills, both orally and written, for policy briefs, PowerPoint presentations, et cetera.
• Analytical. You have exceptional analytical skills. You possess critical thinking skills to enable troubleshooting in unpredictable environments.
• Adaptable. You are eager to work with people of different technical backgrounds: the private sector, social entrepreneurial sector, non-profit sector and public health community. You have proven ability to contribute and to succeed in a fast-paced setting that requires independent thinking. You are solutions oriented.
• Project management master. You are disciplined, methodical, and organized. You are detail-oriented in your knowledge management and information systems, from email to Dropbox folders. You keep your eyes on the prize, but also set and achieve collective goals with others along the way. You are self-directed and able to move things forward with limited input from others.
• Team player. You play well with others and enjoy seeing the impact of our work as a team.
• Multitasker. You're able to juggle multiple tasks at once while 'keeping calm and carrying on.' You think strategically, handle ambiguity, and work well in a multicultural environment.
   

Evaluation Criteria

The evaluation criteria for evaluation of the proposal will be as mentioned below:

• Work experience in a Consulting Firm
  • General Experience
  • Special Experience
• Qualification and Experience of Manpower
  • Team Leader
  • IT Expert
• Methodology of Job accomplishment and work plan
• Knowledge Transfer
• Understanding of TOR
   

Submission And Handling Of Proposal Bids

• Please Submit one soft copy (by email) of technical and financial bids in PDF format to

procurementKE@livinggoods.org by the 27th March 2020.

• Proposals shall include:

• Capacity statement detailing relevant qualifications and experience and CV(s) of key personnel working on the study
• Detailed timeframe specifying milestones towards key deliverables
• A detailed budget including the associated costs.

Misrepresentation. LG decision-making process, will to a large extent be reliant upon the information supplied by bidder. Should it be found that aspects of such information are incomplete, untrue or misleading, LG reserves the right to terminate /disqualify the bidder.

Evaluation of Bids.

•  Evaluation of bids submitted pursuant to this RFP will be carried out by LG as appropriate.
• In evaluating bids, LG will seek best value for money rather than merely the lowest price bid.
• LG reserves the right to do partial awards.
• Amendments. If at any time prior to award LG deems there is a need for a significant modification to the terms and conditions of this RFP, LG will issue such a modification as a written RFP amendment to all competing bidders. No oral statement of any person shall in any manner be deemed to modify or otherwise affect any RFP term or condition, and no bidder shall reply on any such statement. Upon release of this RFP, all bidder communications concerning this RFP should be directed to the RFP requestor. Unauthorized contact regarding this RFP with other
• LG employees may result in disqualification
• Post-Tender and Iterative Negotiation. LG reserves the right, in its sole discretion, to conduct post tender and/or iterative negotiations to the extent necessary.
• Extension of Bid Validity Dates. When necessary and appropriate under the circumstances, LG may request bidders in writing to extend the validity period of the bids. A bidder may refuse to extend its bid however; its bid will be disqualified.

Rejection or Award.

LG is not bound to accept the lowest price and reserves the right to accept any bid in a whole or in part and also to reject any or all tenders without disclosing any of its reason for taking of the decision resulting from this RFP. In the event that this contract is split the pricing offered in the bid is expected to be maintained. Should there be pricing differences in line with business awarded; this must be clearly stated in your proposal.
Rejection may be initiated by the following circumstances; (i) None of the bids are adequately responsive to the specifications, (ii) there is evidence of insufficient competition, or (iii) the lowest bid exceeds the estimated value or funds available by a significant amount and cannot be reduced by negotiation etc.
All awards are subject to availability of adequate funds from LG and the receipt of all required approvals from Donors.

LG will officially notify all successful and unsuccessful bidders.