TERMS OF REFERENCE FOR CERTIFICATION BODIES (CBs)

Transcription

1 TERMS OF REFERENCE FOR CERTIFICATION BODIES (CBs) AUGUST 2014

2 1. Introduction National Information Technology Authority (NITA-U) was established by the Act of Parliament (National Information Technology Authority, Uganda Act of 2009) and was operationalized in The authority was charged with an overall mandate to coordinate, promote and monitor the development of Information Technology (IT) in the context of social and economic development of Uganda. Among the main functions of the authority section 5(f) of the NITA-U Act 2009 mandates NITA-U To set, monitor, regulate and enforce standards for Information Technology hardware & software planning, acquisition, implementation, delivery, support, organization, sustenance, disposal, risk management, data protection, security and contingency planning. In order to promote standardization across the IT Industry in Uganda, the NITA-U is in the process of implementing the Accreditation and Certification Framework (ACF). The Framework is intended to be used to Certify and Accredit IT Service Providers, IT training, IT Professionals and IT Products (Hardware and Software) with a view of ensuring quality delivery of IT Services to the citizens of Uganda. NITA-U shall in performing above functions, consult and cooperate with other Institutions/organizations with functions related to, or having aims or objectives related to Accreditation and Certification. Section 32(2) of the NITA-U Act 2009 (Relationship with other Organization) mandates NITA-U to delegate any of its functions under the Act to any organization. In implementing the Accreditation and Certification Framework therefore, NITA-U shall prequalify Certification Bodies (CBS) to offer Certification Services on its behalf in line with the above section of the NITA-U Act The Certification bodies shall issue Certificates to IT Training Institutions, IT Professionals, IT Service Providers and IT Products upon verification, testing, Assessing and ascertaining that the requirements have been met in accordance with the requisite industry standards. The Certificate issued by the Certification Bodies shall act as confirmation that the Training Institution, professional, provider as well as products have been attested/approved to operate. NITA-U therefore requires the services of Certification Bodies (CBs) to conduct/offer Certification activities/services on its behalf in the above areas. 2. Objective of the assignment 2.1 Main objective of the Assignment The main objective of the assignment is to Certify/Accredit IT Service Providers, IT Training Institutions, IT Professionals as well as IT Products (hardware and software) on behalf of NITA-U in a consistent, competent, credible and reliable manner thereby ensuring quality in the delivery of IT services to the citizens. Holy Spirit Take Over Page 2

3 2.2 Specific Objectives The specific objectives of the assignment are as follows: 1. To grant/issue certification where there is sufficient evidence of conformity to the requisite standards by the IT Service provider, products, IT training institutions and professionals. 2. To establish strategic alliances with other National/International agencies engaged in Accreditation/Certification/conformity assessment activities. 3. To create and increase awareness of the role, value and integrity of independent third party certification and/or notification. 4. To promote, support, encourage efficient certification and notification to ensure consistent application of IT standards in the delivery of IT services, products and Training to consumers 5. To continuously review and upgrade technical content/requirements for the delivery of IT services in line with market need. 6. To enhance capacity of IT Service providers to adapt and innovate to meet the current and future technological challenges as well as evolving regulatory issues within the IT Industry in Uganda. 7. To continuously improve and sustain quality of IT certification services, consistent with market requirements and technological developments thereby providing better value to consumers. 8. To promote professionalism within the IT industry by ensuring alignment and adherence to ethical code of conduct and global IT training service standards by the IT professionals and IT Training Institutions. 3. Scope of Work The Certification services/activities shall be conducted to certify IT training Institutions, IT Service Providers, IT Products (hardware and software) and IT Professionals. The detailed scope of work has been provided in the specific tasks and the time span in sections 3.1 and 3.2 respectively. Holy Spirit Take Over Page 3

4 3.1 Specific Tasks The following specific task should be undertaken by the Certification Bodies (CBs), although new areas of importance proposed by the stakeholders shall be included as well: (a) Benchmark and develop fees structure for Certification of IT Training Institutions, IT Service Providers, IT Products and IT Professionals. (b) Develop Plans, Procedures and tools for Certification in the areas mentioned above as well as propose key competences required for conducting Certification in the areas. (c) Conduct application reviews for Certification in the above areas for completeness (d) Develop Certification Audit Plans, Methodology and Strategy including work plans for each of the specific areas. (e) Conduct Certification Audits in accordance with the requisite IT Industry Standards and develop reporting mechanisms for Certification audits. (f) Award Certification to IT Service Providers, IT Training Institutions, IT Products and IT Professionals upon fulfillment of the requirement for Certification in accordance with the specified standards. (g) Develop a Monitoring and Evaluation Framework for compliance to requirement of Certification status/award (h) Develop mechanism for communication, reporting, receiving and providing feedback/responses regarding Certification Reviews, Audits, Inspections, Standards, Corrective actions, Certification awards, appeals, clarifications and complaints etc. (i) Develop strategy/framework for collaboration with other National/International agencies /Accreditation/Certification/bodies/Laboratories engaged in conformity assessment activities (j) Develop Advocacy and Dissemination Plans for the Accreditation and Certification activities/programme including conducting awareness among stakeholders on the initiative. (k) Build Capacity of NITA-U as well as key stakeholders to coordinate and manage the Accreditation and Certification environment Holy Spirit Take Over Page 4

5 4. Expected Deliverables The Certification Bodies(CBs) shall submit to the National Information Technology Authority (NITA-U) the following reports, documents and outputs in English in approval prescribed format, both soft and hard copies: (i) (ii) Inception Report prior to commencement of Certification activities in any of the areas mentioned above Accreditation and Certification fees structure for IT Training Institutions, IT Professionals, IT Service Providers as well as Products, (iii) Documented list of resources (Personnel competencies, materials, equipment, standards, security etc.) required for Accreditation and Certification in the specific areas. (iv) Mechanism/Criteria for selection of Certification Auditors for the respective areas (v) Certification Audit Plan, Methodology and Strategy including work plan for each of the specific areas. (vi) Certification Instruments (templates, checklists, questionnaires and forms) (vii) Framework for communication, reporting, receiving and providing feedback/responses regarding Certification Applications, Reviews, Audits, Inspections, Standards, Corrective actions, Certification awards, appeals, clarifications and complaints etc. (viii) Framework for verifying, documenting and reviewing the effectiveness of Corrective Actions undertaken to address issues identified during Certification Audits. (ix) Monitoring and Evaluation Framework for the Certification Programme (x) Framework for collaboration with other National/International agencies /Accreditation/Certification/bodies/Laboratories (xi) Advocacy and Dissemination Plans for the Accreditation and Certification activities/programme (xii) Framework for building capacity of stakeholders as well as NITA-U to manage the Certification and Accreditation environment Holy Spirit Take Over Page 5

6 4.2 Time span The Certification Bodies upon being pre-qualified by the NITA-U shall carryout the above tasks for a period of THREE (3) YEAR renewable upon satisfactory performance. 5. Reporting The medium of communication for the assignment shall be English. The Certification body will produce the documents and Reports in both electronic and hard copy formats, as Microsoft Word documents, and submit them to the NITA-U. 6. Responsibility of NITA-U (i) The Executive Director will be the contact person in NITA-U for the duration of the assignment; (ii) NITA-U shall lobby for participation of key stakeholders in Accreditation and Certification; (iii) NITA-U shall provide relevant background documents for the assignment; (iv) Liaison and assistance in communicating with stakeholders; (v) NITA-U shall provide overall guidance on issues such as complaints, appeals, arbitration, decisions etc. that might arise as a result of the Certification activities conducted. 7. Profile of the Certification Body (CB) The firm/company undertaking the above mentioned tasks shall meet the following minimum requirements summarized in the table below: No. Basic Requirement 1. Firm/Company Experience Minimum Standards Legal Entity - Shall be legally registered organizations either in Uganda or overseas - Certification Bodies (CBs) that are not local shall partner with Ugandan locally registered and operating organization(s)/firms Certification Body/Firm Experience - Experience will depend on the focus domain for Certification Holy Spirit Take Over Page 6

7 - Not less than Three years of verifiable experience in conducting IT Certification Services in accordance with standards below and will also depend on the focus domains for Certification: 2. Human Resource: (The Human Resources shall include but not be limited to the following depending on the identified areas) ISO/IEC 17021:2006: Conformity assessment-requirements for bodies providing audit an Certification of management systems ISO/IEC 17024:2012: Conformity assessment - General requirements for bodies operating certification of persons ISO/IEC 17065:2012: Conformity assessment - Requirements for bodies certifying products, processes and services ISO/IEC 17025:2005: General requirements for the competence of testing and calibration laboratories etc. Affiliations to Regional and International Accreditation /Certification Bodies - Affiliated to regional and International Accreditation and Certification Bodies (International Accreditation Forum (IAF), International Laboratory Accreditation Certification (ILAC), etc.) Representation - Regional representation ensuring participation by subject matter experts from developing regions (Africa) and developed regions (Europe, America and Asia/Pacific etc.) 1. Team Leader The leader Auditor shall possess the following minimum qualifications: i. Bachelor s Degree in Computer Science or Information Technology/Telecommunications/Electrical Engineering or a related relevant qualification; ii. Proven additional training in planning, implementation, monitoring and evaluation of IT Projects and programmes iii. Professional registration as Certified Auditor (ISO, etc.)/affiliations to body of Certified Auditors iv. Possess Industry Certifications in IT Service Management, IT Governance, IT Security (ISO 20000, ITIL, CGEIT, CISSP, CISM, CISA, PMP etc.) Holy Spirit Take Over Page 7

8 v. At least 5 years experience working in the ICT field, with particular verifiable experience in: - Developing and implementing Policies, Standards & Guidelines, Frameworks and Strategies for ICT/IT, Management Information Systems, etc. at organizational, national and regional levels - Accreditation & Certification Assessments conducted within the above period an IT environment - Conducting assessments by the application of any of the following International Standards: ISO 20000, ISO 17020, 17021, 17024, 17025, among others. - Establishing Quality Management Systems in accordance with requisite International Standards - Linking ICT to overall National and Regional Development plans - Meeting and Workshop Facilitation - Report Writing vi. Working knowledge of Government and IT Sector procedures and processes. vii. Negotiation and conflict resolution skills 2. ICT Expert/Specialist The ICT Expert/Specialist shall possess the following minimum qualifications: i. Bachelor s Degree in Computer Science, Information Technology or a related relevant qualification; ii. Possess Industry Certifications in IT Service Management, IT Governance, IT Security (ISO 20000, ITIL, CGEIT, CISSP, CISM, CISA, PMP etc.) iii. Professional registration as Certified Auditor (ISO, etc.)/affiliations to body of Certified Auditors iv. At least 5 years experience working in the ICT field, with particular verifiable experience and expertise in: - In institutional organization and business management in Holy Spirit Take Over Page 8

9 complex environments, experience in strategic IT processes planning and management, drafting reports, working with Government institutions. - Knowledge and experience in Assessment of IT training Institutions, Professionals, Service providers, and Products for Accreditation /Certification in accordance with requisite Industry service Standards. - Conducting assessments by the application of any of the following International Standards: ISO 20000, 17020, 17021, 17024, 17025, among others. - Developing, analysing and implementing IT policies, standards and guidelines. - In-depth knowledge and understanding of IT, e- Government development issues, Information Technology (IT) Security and relevant work experience. - Proven knowledge of the Uganda IT Industry; - Negotiation and conflict resolution skills 3. Legal & Regulatory Services Advisor/Officer The Legal Service Officer shall possess the following minimum qualification and skills: i. Bachelor Degree in Law with a diploma in legal Practice ii. iii. Postgraduate qualification in law or business administration A minimum of 5 years experience in legal practice or corporate legal services and verifiable knowledge in the following: - Accreditation & Certification of Training Institutions, Professionals, Service providers and Products - Implementation of legal and policy frameworks and policies to support governance of IT delivery in the public and private sector. - Excellent Knowledge of Contract, Commercial, Corporate Law and business acumen - National legal and policy framework for IT Service level Management Holy Spirit Take Over Page 9

10 iv. Knowledge of the Ugandan Cyber Laws will be an added advantage. v. Negotiation and conflict resolution skills 8. Background Documents NITA-U shall provide the following background documents to provide information relevant to the assignment: i. NITA-U Act 2009 ii. iii. Accreditation and Certification Framework-2014 Standards, Regulations and Accreditation and Certification Guidelines to Enhance the Business Process Outsourcing (BPO) Industry in Uganda iv. National ICT Policy Framework 2008 v. National e-government Framework 2009 vi. National IT Policy 2010 vii. National ICT Policy 2003 viii. BPO Strategy and Model for Uganda ( ) Holy Spirit Take Over Page 10