ANNEX B. Terms of Reference. CTBTO Information Security Management System Support on Call-off Basis

Transcription

1 ANNEX B Terms of Reference CTBTO Information Security Management System Support on Call-off Basis

2 Table of Contents Acronyms 3 Introduction 4 Background 4 Objectives and Expected Results 5 Scope of Work 6 Deliverables and acceptance criteria 9 Requirements of the Contractor and its Personnel 10 Terms of Reference - CTBTO ISMS Support on Call-Off basis Page 2 of 10

3 Acronyms ISMS DHCP DNS LAN PTS IDC CISSP CISA CISM Information Security Management System Dynamic Host Configuration Protocol Domain Name System Local Area Network Provisional Technical Secretariat International Data Centre Certified Information Security Systems Professional Certified Information Systems Auditor Certified Information Systems Manager ISO/IEC International Standards Organization/ International Electrotechnical Commission NGO QA SOA DMZ CTBT Non-Governmental Organization Quality Assurance Statement of Applicability De-Militarized Zone Comprehensive Nuclear-Test-Ban Treaty Terms of Reference - CTBTO ISMS Support on Call-Off basis Page 3 of 10

4 1. INTRODUCTION The Preparatory Commission for the Comprehensive Nuclear-Test-Ban Treaty Organisation (hereinafter referred to as the Commission ) is the international organisation setting up the global verification system foreseen under the Comprehensive Nuclear-Test-Ban Treaty (hereinafter referred to as the CTBT ), which is the Treaty banning any nuclear weapon test explosion or any other nuclear explosion. The Treaty provides for a global verification regime, including a network of 321 stations worldwide, a communications system, an international data centre and on-site inspections to monitor compliance. The Headquarters and the International Data Centre (hereinafter referred to as the IDC ) of the Preparatory Commission are in Vienna (Vienna International Centre of United Nations). One fundamental task of the Commission s International Data Centre is to provide States Parties with equal, open, timely and convenient access to agreed products and services to support their national CTBT verification requirements. An integral component of the distribution mechanism is the use of web technology. To this end, the Commission is seeking a Contractor with the technical expertise, experience and resources to support the development of an ISMS framework based on ISO 27001:2005 International Security Standard and using the PDCA process improvement model. The Contract shall be for an initial period of one year. The Commission shall have the option to extend the Contract for an additional three consecutive periods of 12 months. 2. BACKGROUND The Commission has established an elaborate Information Systems Infrastructure hosting a myriad of key services. In order, to ascertain the security posture of this architecture, and subsequently develop a roadmap for security improvement, the Commission has recently awarded an Information Security Risk Assessment contract to an independent assessor to conduct detailed security reviews on its Information Systems Infrastructure. A key deliverable of the risk assessment assignment is a CTBTO Information Security Roadmap for security improvement. This will serve the Commission in its planning to augment its security posture, processes and procedures and by adopting security best practices, standards and procedures, in particular ISO/IEC 27001:2005 the de facto standard for Information Security Management. The Commission wishes to develop its Information Security Management System (ISMS) using a process improvement model Plan, Do, Check, Act (PDCA) Model, see figure 1 below. The Contractor shall be required to support the Commission in its pursuit in establishing this process improvement ISMS model. Terms of Reference - CTBTO ISMS Support on Call-Off basis Page 4 of 10

5 Interested Parties Interested Parties Security Expectations and Requirements Managed Information Security Figure 1: PDCA Model continual process improvement of the ISMS These Terms of Reference define the legal and technical framework of all related activities to be performed by the Contractor. 3. OBJECTIVES AND EXPECTED RESULTS The overall objective of this Contract is to develop a framework for information security management - ISMS. This shall be achieved by adopting a PDCA model for security improvement and applying best practices described in ISO/IEC 27001:2005. The Commission shall also adopt as a minimum and where applicable, the control objectives and controls described in ISO/IEC for security management. The expected overall result of this Contract is to examine the security requirements of the Commission, and develop a framework for continual security improvement. Specific results of this assignment shall include fully documented security procedures for the Commission which shall culminate in new or improved procedures for the following areas: Security Policy Organisation of Information security Asset management Human Resources Security Physical and Environmental Terms of Reference - CTBTO ISMS Support on Call-Off basis Page 5 of 10

6 Communications and Operations Security Access Control Software Development Information Security Incident Management Business Continuity Management Compliance 4. SCOPE OF WORK Information is a key business asset; the Commission has recognised this and is seeking to safeguard the confidentiality, integrity and availability of its information assets. The tasks under this Contract are categorised into two areas (Administrative and Technical controls) described in figure 2 below. Information Security Management Security policies, security awareness, compliance/ governance, standards, procedures, etc Firewall management, antivirus, access controls, monitoring, virtualisation, etc Administrative Controls Technical controls Figure 2: Information Security Management The first set of tasks will improve the administrative and governance framework for security management whilst the second set of tasks will review technical security measures that are applied to safeguard the Information Systems Infrastructure. These control measures shall complement each other in providing the required security and protection against unauthorised disclosure or access to information; details are provided in sections 6.1 and 6.2 respectively. 5. LEVEL OF EFFORT FOR THE SERVICES The services shall involve periods of work mainly on-site at the premises of the Commission in Vienna, Austria, as well as off-site at the premises of the Contractor. The Commission estimates the Contractor s work to perform to be 60 percent on-site Terms of Reference - CTBTO ISMS Support on Call-Off basis Page 6 of 10

7 at the Commission s Headquarters and 40 percent off-site at the Contractor s premises. The effort invested to perform the work shall be quantified in Contractor man-days. One (1) Contractor man-day represents the effort by one (1) personnel of the Contractor, invested during one (1) day in performing the work ordered. The Commission estimates that the work expected to be performed under the contract will require a level of Contractor s effort between 100 and 300 Contractor man-days on and off-site over a period of one year after the Contract s signature. However, the Commission shall not be obliged to purchase a minimum or a maximum number of Contractor man-days for the work to be performed under the contract. 6. WORK TASKS 6.1. Administrative Controls: Acquire the necessary knowledge, develop and establish a governance framework for the Commission s ISMS The Contractor may be requested to provide on-request services, which may include the following: Provide support in safeguarding the Commission s Information assets by maintaining confidentiality, integrity and availability of its critical assets; Review existing Information Security Policies, procedures and processes and make recommendations for improvements; Provide support in establishing ISMS controls documentation, implementation and maintenance; and make recommendations for ISMS procedures; Review corporate risk evaluation criteria and align with recommended best practice of organisations of similar structure and objectives as the Commission; Review, evaluate risks and make recommendations for improvements (where necessary) on the Commission s outsourcing policy on Information Systems; Review, evaluate risks and make recommendations for improvements (where necessary) on the Commission s open source policy on Operating Systems and software; Review existing Security and IT Infrastructure (including database architecture, networks, applications, web services, virtualisation, etc), align them with ISO 27001:2005 recommended practices and highlight areas for improvement; Terms of Reference - CTBTO ISMS Support on Call-Off basis Page 7 of 10

8 Provide guidance and support in rolling out the Information Security Roadmap for the Commission; Review the Commission s PKI Key management policies, procedures and processes and make recommendations for improvement; Organise and conduct training on information security disciplines 6.2. Technical Controls: Provide Support, documentation and technical security reviews The Contractor may be requested to provide on-request services, which may include: DMZ/Network Architecture Designs/Reviews Provide regular vulnerability assessments / security reviews on the Commission s IT Infrastructure (including firewalls, routers, servers, mail services, DNS, etc) Provide forensic review / assessment of computer incidents where necessary; Review the security arrangements on the Global Communications Infrastructure and make recommendations for improvement. 7. ORGANIZATION OF WORK 7.1 The Commission, upon signature of the Contract, shall convene a kick-off meeting in Vienna to agree on detailed procedures for initiating; developing requirements for approving, implementing, testing and accepting the Work Orders under sections 6.1 and 6.2 and deliverables under section The Commission will request the initiation of the Work in form of Work Orders. The Contractor shall not perform any work not requested by the Commission and defined in Work Orders. 7.3 The Work Order will be based on one or more tasks described in Work Tasks 6.1 and 6.2. Each work order will contain further definitions and description of the exact nature of the work to be completed. 7.4 Coordination (a) The Contractor shall report directly to a single nominated point of contact in Terms of Reference - CTBTO ISMS Support on Call-Off basis Page 8 of 10

9 the Commission. (b) The Contractor shall conform to the Commission s working hours (8 hrs/day) and days (Monday to Friday) when working on-site at the Commission s headquarters. (c) If requested by the Commission in a Work Order the Contractor shall participate in Contract performance meetings, which may be organized at the Commission s Headquarters in Vienna or at the Contractor s premises. During these meetings, planning and performance under the Contract, as well as any relevant topic related to thereto may be reviewed, discussed and recorded. 7.5 Upon receipt of a work order, the Contractor shall provide at minimum, the following information in response to the work order to be approved by the Commission prior to the commencement of any work: Work plan and proposal schedule to accomplish the work; Assumptions, constraints and key risks that could affect the task completion and methods to manage the risks; CV of Contractor s consultant(s) nominated to perform the work. All CVs submitted for prior approval must detail the consultant(s) nominated to perform such work. Subsequent change of personnel(s) accepted for duty shall occur only after obtaining prior approval by the Commission. Total cost for completion of the work order, including;- o Number of man-days to be allocated to the work; o Place of work (on-site / off-site); o Travel costs; o Commencement date and completion date of work. 8. DELIVERABLES AND ACCEPTANCE CRITERIA At the end of a particular work under the Work Order, the Contractor shall submit to the Commission the deliverable as stated in the respective Work Order together with a status report. Terms of Reference - CTBTO ISMS Support on Call-Off basis Page 9 of 10

10 8.1. Status report The status report shall summarise the work performed, number of Contractor s Personnel mandays used, authorised travel and subsistence cost for onsite work, and other important technical and managerial issues relating to the Contract Acceptance criteria The deliverable and the status report shall be in accordance with the requirements of the Contract and the applicable work order and their acceptance by the Commission shall be subject to the satisfactory completion thereof. The deliverable and the status report shall be the basis for invoicing and payment. 9. REQUIREMENTS OF THE CONTRACTOR AND ITS PERSONNEL The Contractor shall meet or exceed the following qualifications: Proven track record in designing and implementing projects in relevant technical field(s), preferably in advising large governmental organisations and/or NGOs on information security issues and leading them through establishing an ISMS; Proven track record of managing projects of a similar scope and complexity Proven track record of applying Project Management and Quality Assurance (QA) measures / methodology; The Contractor shall be sufficiently large and stable in order to guarantee the level of long term commitment and support to the services foreseen in these Terms of Reference; The Contractor shall provide three references for undertaking similar activities with other organisations. The Contractor s personnel assigned to this Contract shall meet or exceed the following qualifications: Experience in information security management using ISO/IEC 27001:2005 best practice procedures; Experience in leading development of an ISMS; Demonstrated security expertise with one or more of the following security certifications: CISSP, CISA, ISO/IEC 27001:2005 ISMS Auditor/Lead Auditor, CISM. Terms of Reference - CTBTO ISMS Support on Call-Off basis Page 10 of 10