NATIONAL INFORMATION TECHNOLOGY AUTHORITY-UGANDA DRAFT TERMS OF REFERENCE FOR CONSULTANCY SERVICES UNDER FRAMEWORK CONTRACTS

NATIONAL INFORMATION TECHNOLOGY AUTHORITY-UGANDA DRAFT TERMS OF REFERENCE FOR CONSULTANCY SERVICES UNDER FRAMEWORK CONTRACTS SEPTEMBER 2014

1.0 INTRODUCTION The National Information Technology Authority-Uganda (NITA-U) is an autonomous statutory body established under the NITA-U Act 2009, to coordinate and regulate Information Technology services in Uganda. NITA-U is under the general supervision of the Ministry of Information and Communication Technology (MoICT). NITA-U is mandated to coordinate, promote and monitor IT development within the context of national social and economic development, with a vision as a facilitator of a knowledge-based, globally competitive Uganda where social transformation and economic development is supported through IT enabled services. Under the objects of the Authority, NITA-U is mandated to; a) Provide high quality information technology services to government b) Promote standardization in the planning, acquisition, implementation, delivery, support and maintenance of information technology equipment and services, to ensure uniformity equality, adequacy and reliability of information technology usage throughout Uganda; c) Provide guidance and other assistance as may be required to other users and providers of information technology; d) Promote cooperation, coordination and rationalization among users and providers of information technology at national and local levels as to avoid duplication of efforts and ensure optimal utilization of scarce resources; e) To promote and be the focal point of co-operation for information technology users and providers at regional and international levels; and f) To promote access to and utilization of information technology by the special interest groups. Under the powers of the Authority, NITA-U is; 1) To carry out regular e-readiness surveys to ascertain the status of information technology in Uganda; 2) To establish a repository of information technology standards, and for the registration and classification of documentation related to locally developed and imported information technology solutions; 3) To establish a mechanism for collaboration and promotion of partnerships between various categories of players in the information technology sector; 4) To regulate and certify information technology education in Uganda in consultation with the ministry responsible for Education or its agencies; 5) To charge fees for services provided by the authority Consultancy Services Framework Contracts Version 1.0 2 P age

NITA-U would like to engage suitably qualified firms under framework contracts to provide technical assistance (consultancy services) to enable her fulfill her mandate. NITA-U expects the highest level of professionalism from the contracted firms. 2.0 ASSIGNMENT BACKGROUND In line with her mandate, NITA-U is working on a number of projects across government which periodically calls for extra highly qualified human resources to enable her deliver on all assignments within the set budget and expected time frame. From time to time, NITA-U requires specialized resources to work on specific tasks or projects in accordance with specific guidelines, to ensure successful implementation. 3.0 OBJECTIVE The objective of this procurement is to engage firms under framework contract to provide technical assistance in highly specialized areas as and when required; and ensure that assignments / tasks, projects and or programmes are completed in time, within budget, and with satisfactory quality. 4.0 SCOPE OF CONSULTANCY SERVICES In all cases NITA-U will need short-term technical assistance at short notice allowing for fast recruitment of experts. The quality of this technical assistance will be guaranteed by Framework Contractors who have been pre-selected for the thematic areas, or lots below: LOT 1: DIS: Software Applications / Systems Audit LOT 2: DIS: Information Systems Audit LOT 3: DIS: Computer Forensics and Investigations LOT 4: DRLS: Compliance Assessments and Audits LOT 5: DRPD: Research and Innovation Services LOT 6: DTS: Technical Services LOT 7: DRPD: IT Project Management LOT 8: DeG: Web Development LOT 9: DPRD: IT Standards and Frameworks Development Services LOT 10: DPRD: IT Training and Capacity Building Services LOT 11: PDRP: Project Quality Assurance / Monitoring & Evaluation LOT 12: DeG: Business Analysis and Design Consultancy Services Framework Contracts Version 1.0 3 P age

Each framework contractor disposes of the appropriate internal or external technical expertise and skills required for the lot for which it has been pre-selected. 5.0 SPECIFIC TERMS OF REFERENCE 5.1 LOT 1: DIS: Software Applications / Systems Audit 5.1.1 Background In line with her mandate, NITA-U intends to conduct several Software Applications / System Audits on various Government of Uganda Systems that will determine the security and policy decisions required to ensure the protection of all internal information resources. NITA-U invites expressions of Interest from consultants/consulting firms having a minimum of five years related experience and a proven track record in projects of a similar nature, who wish to carry out the Audit exercise under a framework contract arrangement. 5.1.2 Description of assignment 1) Global objective The objective is to carry out a comprehensive review and examination of the controls and internal checks built into the application. The consultant shall report on the conclusions reached from his audit/review of the application controls and recommend suitable measures for correcting any deficiencies which were identified during the audit review process. 2) The consultant will be permitted to access concerned records, software, hardware, and computer installations and shall be required to sign a nondisclosure agreement before commencement of duty. 3) The scope of work includes a) Evaluation of all the processes and activities, which are computerized under the systems using appropriate test data. b) Evaluation of data origination controls - adequacy on controls in procedures relating to data preparation, document control, data authorization and data retention. c) Review the adequacy of systems and controls for data entry, segregation of roles, and duties, data validation / editing procedures and data input error handling procedures. d) Evaluate the adequacy of controls in the data processing procedures to ensure that data integrity. Consultancy Services Framework Contracts Version 1.0 4 P age

e) Ensure that adequate checks and controls are built into the system to provide completeness and accuracy of the output reports. f) Knowledge transfer g) Recommendations and implementation plan to correct the deficiencies. h) Study the existing system and validating the application software. Also. Attempt an analysis of comparator applications used for similar functions in successful projects in elsewhere. i) The evaluation framework should include multiple criteria based assessment for evaluating and validating the application software like ease of use, complexity of procedure, errors in documentation, timely response, etc. should be incorporated. 4) Required outputs The consultant shall submit an application software / system audit report, which shall include the following; a) Study the existing system(s), validate the application and submission of reports with recommendations. b) Test / audit the application software modules, identify deficiencies observed in the systems and submission of reports with appropriate recommendations. c) Knowledge transfer to selected staff. d) Submission of final reports. 5) NITA-U reserves the right to cancel the consultancy at any point in time if the performance is found to be unsatisfactory. 5.1.3 Experts profile or Expertise required 1) The expected number of key personnel in the team is five. The team will consist of one team leader and four team members as a minimum. They should have experience in the complete life cycle of application software (study, design, development, testing, implementation, training, troubleshooting and support, etc.) using various operating systems (like Linux, windows, UNIX) and tools and environments (like VB,.net, Oracle, Ms Access, Postgres etc.) 2) Profile per expert or expertise required: a. The Team Leader having Bachelors in Software Engineering, computer Science, computer application, IT, as well as an IT audit / Information Security certification with minimum of 5 years computer systems audit related experience. b. The Team Member having Bachelors in Software Engineering, computer Science, computer application, IT, as well as an IT audit / Security Consultancy Services Framework Contracts Version 1.0 5 P age

certification with minimum of 3 years computer systems audit related experience. 5.1.4 Location and duration 1) The duration of this consultancy is 60 calendar days 2) The location(s) of assignment shall be as advised by NITA-U 5.1.5 Reporting 1) The Audit Report should comprise of an Executive Summary, Findings and Recommendations which should include, but not limited to, System Vulnerabilities, Security Program Management of Information Technology Resources and Application Life Cycle Controls. 2) Unless otherwise stated, the reporting language shall be English. 3) Weekly activity reports, tasks to be performed and travel schedule to be submitted to NITA-U. 4) A committee shall be setup to review the progress on completion of the entire work at different stages or as and when necessary. 5.1.6 Administrative information 1) Interviews for the Team leader and two of the team members may be required 2) In case of the need to subcontract, NITA-U shall review and approve of such arrangements 3) English shall be the language of communication for all legal documents 4) For each assignment, a proposal shall be submitted that must contain a brief and clear methodology to be used to accomplish the assignment at hand 5) Management team member presence shall be required for briefing and/or debriefing. 5.2 LOT 2: DIS: Information Security Audit 5.2.1 Background In line with her mandate, NITA-U intends to conduct several Information Security Audits for various Government of Uganda institutions to determine whether their information security measures are adequate to guarantee the preservation of the confidentiality, integrity and availability of information and information processing assets. NITA-U invites expressions of Interest from consultants/consulting firms having a minimum of five years related experience and a proven track record in projects of Consultancy Services Framework Contracts Version 1.0 6 P age

a similar nature, who wish to carry out the Audit exercise under a framework contract arrangement. 5.2.2 Description of assignment 1) Global objective The objective is to carry out an Information Security Audit by using best security practices, which helps Government of Uganda institutions to maintain Information Technology (IT) security through ongoing, integrated management of policies and procedures, personnel training, selection and implementation of effective controls, reviewing their effectiveness and improvement. This should improve customer confidence, a competitive edge, better personnel motivation and involvement, and reduced incident impact. Ultimately, this leads to control over organizational losses and improved revenues 2) The consultant will be permitted to access concerned records, software, hardware, and computer installations and shall be required to sign a nondisclosure agreement before commencement of duty. 3) The scope of work includes a) Review adequacy of systems controls for Database Management system including access to, structuring of and control over shared database, Evaluate adequacy of systems for data administration, data access, concurrency controls, database integrity and content recovery processes. b) Review and report on the logical and physical security of the computer systems including Password administration, security violation reports, security of online access to data, backup and recovery plans and disaster management procedures. c) Information security policy for the organization: This activity involves a thorough understanding of the organization s business goals and its dependence on information security. This entire exercise begins with the creation of the IT Security Policy. This is an extremely important task and should convey total commitment of top management. The policy cannot be a theoretical exercise. It should reflect the needs of actual users. It should be implement-able, easy to understand and must balance the level of protection with productivity. The policy should cover all the important areas like personnel, physical, procedural and technical. d) Creation of information security infrastructure: A management framework needs to be established to initiate, implement and control information security within the organization. This needs proper procedures for approval of the information security policy, assigning of the security roles and co-ordination of security across the organization. Consultancy Services Framework Contracts Version 1.0 7 P age

e) Asset classification and control: One of the most laborious but essential tasks is to manage inventory of all the IT assets, which could be information assets, software assets, physical assets or other similar services. These information assets need to be classified to indicate the degree of protection. The classification should result into appropriate information labeling to indicate whether it is sensitive or critical, and the procedure which is appropriate for copy, store, transmit or destruction of the information asset. f) Personnel security: Human errors, negligence and greed are responsible for most thefts, fraud or misuse of facilities. Various practical measures should be taken, like making personnel screening policies, confidentiality agreements, terms and conditions of employment, and information security education and training. Alert and well-trained employees who are aware of what to look for can prevent future security breaches. g) Physical and environmental security: Designing a secure physical environment to prevent unauthorized access, damage and interference to business premises and information is usually the beginning point of any security plan. This involves physical security perimeter, physical entry control, creating secure offices, rooms, facilities, providing physical access controls, providing protection devices to minimize risks ranging from fire to electromagnetic radiation and providing adequate protection to power supplies and data cables. Cost-effective design and constant monitoring are two key aspects to maintain adequate physical security control. h) Communications and operations management : Properly documented procedures for the management and operation of all information processing facilities should be established. This includes detailed operating instructions and incident response procedures. i) Network management requires a range of controls to achieve and maintain security in computer networks. This also includes establishing procedures for remote equipment including equipment in user areas. Special controls should be established to safeguard the confidentiality and integrity of data passing over public networks. Special controls may also be required to maintain the availability of the network services. j) Exchange of information and software between external organizations should be controlled, and should be complied with any relevant legislation. There should be proper information and software exchange agreements, the media in transit needs to be secure and should not be vulnerable to unauthorized access, misuse or corruption. k) Electronic commerce involves electronic data interchange, electronic mail and online transactions across public networks such as the Internet. Electronic Consultancy Services Framework Contracts Version 1.0 8 P age

commerce is vulnerable to a number of network threats that may result in fraudulent activity, contract dispute and disclosure or modification of information. Controls should be applied to protect electronic commerce from such threats. l) Access control: Access to information and business processes should be controlled. The business and security requirements will include: i. Defining an access control policy and rules ii. User access management iii. User registration iv. Privilege management v. User password and management vi. Review of user access rights, network access controls vii. Enforcing paths from user terminals to computer viii. User authentication, node authentication ix. Segregation of networks x. Network connection control, network routing control, operating system access control xi. User identification and authentication xii. Use of system utilities xiii. Application access control xiv. Monitoring system access and use xv. Ensuring information security when using mobile computing and teleworking facilities. m) System development and maintenance: Security should ideally be built at the time of inception of a system. Hence security requirements should be identified and agreed prior to the development of information systems. This begins with security requirement analysis and specification, and providing controls at every stage i.e. data input, data processing, data storage and retrieval and data output. It may be necessary to build applications with cryptographic controls. There should be a defined policy on the use of such controls, which may involve encryption, digital signature, use of digital certificates, protection of cryptographic keys and standards to be used for cryptography. A strict change control procedure should be in place to facilitate tracking of changes. Any changes to the operating system or software packages should be strictly controlled. Special precautions must be taken to ensure that no covert channels, back doors or Trojans are left in the application system for later exploitation. n) Business continuity management: A business continuity management process should be designed, implemented and periodically tested to reduce Consultancy Services Framework Contracts Version 1.0 9 P age

the disruption caused by disasters and security failures. This begins by identifying all events that could cause interruptions to business processes, and depending on the risk assessment, a strategy plan should be prepared. The plan needs to be periodically tested, maintained and re-assessed based on changing circumstances. o) Compliance: It is essential that strict adherence is observed to the provision of national and international IT laws, pertaining to Intellectual Property Rights (IPR), software copyrights, safeguarding of organizational records, data protection and privacy of personal information, prevention of misuse of information processing facilities, regulation of cryptographic controls and collection of evidence. The use of Information Technology in business has also resulted in the enactment of laws that enforce responsibility of compliance. All legal requirements must be complied with to avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations and of any security requirements. p) Review adequacy of systems documentation for operating and maintaining the new systems, ensure control functions and responsibilities are appropriately documented and quality of documentation complies with minimum industry standards. q) Documentation: The ISMS documentation shall consist of the following information: i. Evidences for action taken for implementation of the ISMS ii. Details of the procedures adopted to implement the controls. It should also describe the responsibilities and relevant factors iii. Procedures covering the management and operation of ISMS. r) Document Control: Procedures should be established for controlling all documentation required as detailed above and that the documentation is: i. Readily available ii. Periodically reviewed and revised as necessary in line with the organization s security policy iii. Maintained under version control and made available to all locations where operations essential to ISMS are being performed iv. Promptly withdrawn when obsolete v. Identified and retained when obsolete and required for legal or knowledge preservation purposes or both. s) Records: Records like visitor s book, audit records, ACLs, etc, being evidence generated as a consequence of the operation of the Information System Management System, should be maintained to demonstrate compliance with the requirements of ISO 17799:2000. There should be procedures Consultancy Services Framework Contracts Version 1.0 10 P age

established for identifying, maintaining, retaining and disposing of these records demonstrating compliance. t) Knowledge transfer u) Recommendations and an implementation plan to correct the deficiencies 4) Required outputs The consultant shall submit an audit report, which shall include the following; a) Study of the existing governance, policies, procedures and submission of reports with recommendations. b) Validation of the existing administrative documents and submission of the reports c) Recommendations and changes in the existing administrative documents based on industry standards d) Fine tune the administrative documents based on best practice and business requirements of the target institution e) Knowledge transfer to selected staff. f) Submission of final reports. 5) NITA-U reserves the right to cancel the consultancy at any point in time if the performance is found to be unsatisfactory. 5.2.3 Experts profile or Expertise required 1) The expected number of key personnel in the team is five. The team will consist of one team leader and four team members (Systems Specialist, Network Specialist, Applications Specialist, Architecture and Integration Specialist) as a minimum. They should have knowledge and experience in customizing and deploying application, Systems analysis and design, Information Systems Auditing, Operating systems installation, administration and auditing, Information Security risk analysis and remediation, Network design, installation, support and auditing, Penetration testing and vulnerability assessment. 2) Profile per expert or expertise required: a. The Team Leader having bachelor s degree in either information systems or computer science (or other technical discipline) with a minimum of 5 years Information Security audit related experience. The Team Leader should possess an IT audit / Information Security certification and project management knowledge and experience. b. The System Security Specialist having bachelor s degree in either information systems or computer science (or other technical discipline) Consultancy Services Framework Contracts Version 1.0 11 Page

with a minimum of 3 years System Administration / Audit related experience. The System Security Specialist should possess a System Administration and an IT audit / Information Security certification. c. The Network Specialist having bachelor s degree in either information systems or computer science (or other technical discipline) with a minimum of 3 years Network Administration / Audit related experience. The Network Specialist should possess Network Administration and an IT audit / Information Security certification. d. The Application Specialist having bachelor s degree in either information systems or computer science (or other technical discipline) with a minimum of 3 years Application or Database Administration / Audit related experience. The Application Specialist should possess Application / Database Administration and an IT audit / Information Security certification. e. The Architecture and Integration Specialist having bachelor s degree in either information systems or computer science (or other technical discipline) with a minimum of 3 years System Integration related experience. The Architecture and Integration Specialist should possess System Integration and an IT audit / Information Security certification. 5.2.4 Location and duration 1) The duration of this consultancy is 75 calendar days 2) The location(s) of assignment shall be as advised by NITA-U 5.2.5 Reporting 1) The Audit Report should comprise of an Executive Summary, Findings and Recommendations which should include, but not limited to, Web Application Security, Vulnerability Testing, Penetration Testing, Wireless Security, Policy and Procedure Review, Cyber Security Incident Response, Physical Security, Personnel Security, Asset classification, Source Code Review. 2) Unless otherwise stated, the reporting language shall be English. 3) Weekly activity reports, tasks to be performed and travel schedule to be submitted to NITA-U. 4) A committee shall be setup to review the progress on completion of the entire work at different stages or as and when necessary. 5.2.6 Administrative information 1) Interviews for the Team leader and two of the team members may be required 2) In case of the need to subcontract, NITA-U shall review and approve of such arrangements Consultancy Services Framework Contracts Version 1.0 12 P age

3) English shall be the language of communication for all legal documents 4) For each assignment, a proposal shall be submitted that must contain a brief and clear methodology to be used to accomplish the assignment at hand 5) Management team member presence shall be required for briefing and/or debriefing. 5.3 LOT 3: DIS: Computer Forensics and Investigations 5.3.1 Background In line with her mandate and as need arises, NITA-U intends to contract a firm under framework contract arrangement to conduct several computer forensics and investigation exercises on various Government of Uganda Systems in pursuit of those that violate or mismanage computer systems in accordance with the various cyber laws. The firm selected will be experienced in all aspects of computer forensic work and will have a high level of skills and qualifications necessary to conduct the investigations to effectively support the collection and analysis of electronic evidence and the effective use of this evidence in later processes including the recovery from financial loss, administrative action and criminal prosecution by other government agencies. 5.3.2 Description of assignment 1) Global objective The objective is to carry out electronic investigations, while ensuring that the investigator creates an audit trail, maintains a complete chain of custody which can be used to demonstrate that any conclusions drawn from the investigation are verifiable and in accordance with the industry standards and guidelines for Digital Evidence. 2) The consultant will be permitted to access concerned records, software, hardware, and computer installations and shall be required to sign a nondisclosure agreement before commencement of duty. 3) The scope of work includes a) Acquisition of data in a way that preserves the data in the state in which it existed immediately prior to its capture, b) Investigation of any device which can hold digital data and c) Analysis of and reporting on the captured data. d) Knowledge transfer 4) Required outputs Consultancy Services Framework Contracts Version 1.0 13 P age

a) The consultant shall submit an investigation report, which shall include the following; i. Procedures used ii. Evidence located iii. Evidence collected iv. Conclusion with reasoning b) The consultant shall also be expected to undertake deliberate actions aimed at building capacity of selected staff. 5) NITA-U reserves the right to cancel the consultancy at any point in time if the performance is found to be unsatisfactory. 5.3.3 Technical Skills and Competences 1) Knowledge and experience with the following operating systems: windows, Linux, UNIX, ios and Android as well as a thorough understanding on computer forensic tools such as EnCase, Forensic Toolkit (FTK), Autopsy, and/or I/Look Investigator. 2) Thorough knowledge of computer forensic procedures for data collection, preservation, recovery analysis including network forensic analysis and reporting 3) Ability to properly caliber and maintain the forensic equipment in proper working order 4) Ability to analyze industry technology trends to incorporate proven forensic investigation and supporting technologies into practice 5) Ability to analyze and deploy best practices applicable to forensics 6) Understanding of information systems security; network architecture; general database concepts; document management; hardware and software troubleshooting; electronic mail systems like exchange and Microsoft office applications 7) Ability to provide deposition and expert trial testimony when needed 5.3.4 Qualifications 1) Possession of professional certifications and membership in professional associations in the field of computer forensics is highly desirable 2) The successful firm will have a combination of education and experience related to the essential duties and responsibilities including; a. At least seven years of experience in computer forensic investigation with a law enforcement agency or with a professional services firm b. Ability to maintain confidentiality is critical Consultancy Services Framework Contracts Version 1.0 14 P age

c. Demonstrated experience in managing day to day aspects of client relationships, as well as forensic cases is a must d. Knowledge of computer forensic tools, methodologies, and protocols (e.g. EnCase, FTK, etc.) e. Expertise in windows operating systems, Linux, UNIX, PC hardware, PC networking f. Hardware to be analyzed will primarily encompass hard drives (such as SATA, SDD). However additional equipment may include thumb drives, memory cards, mobile phones, and other related storage devices g. Experience of undertaking engagements of similar nature is an asset. 5.3.5 Experts profile or Expertise required 1) The expected number of key personnel in the team is three. The team will consist of one team leader and two team members as a minimum. They should have strong technical ability with various computers, software and hardware, excellent communication abilities, strong analytical approach to problem-solving, working knowledge of tools such as Encase, FTK, Paraben and other industry-recognized tools, and should be willing to travel across Uganda for business-related purposes without restriction. 2) Profile per expert or expertise required: a. The Team Leader having bachelor s degree in either forensics or computer science (or other technical discipline) with a minimum of 3 years experience working in either a computer forensics or ediscovery environment as well as experience in imaging of various digital media platforms, acquiring all sources of data b. The Team Member having bachelor s degree in either forensics or computer science (or other technical discipline) with a minimum of 1 years experience working in either a computer forensics or ediscovery environment as well as experience in imaging of various digital media platforms, acquiring all sources of data 5.3.6 Reporting 1) The consultant shall submit their forensic examination report(s) to NITA-U as well as to the institution where the services have been provided. The information provided in the reports should be concise and accurate 2) The consultant shall maintain an audit trail or other record of all processes applied to computer based electronic evidence to allow third party re-examination to achieve same results Consultancy Services Framework Contracts Version 1.0 15 Page

3) Unless otherwise stated, the reporting language shall be English. 4) Analysis and reporting shall be within 30 days of receipt of the digital device 5) Weekly activity reports, tasks to be performed and travel schedule to be submitted to NITA-U. 6) A committee shall be setup to review the progress on completion of the entire work at different stages or as and when necessary. 7) Any indications included in the report restricting its distribution and /or use will be deemed null and void. 5.3.7 Administrative information 1) Interviews for the Team leader and one of the team members may be required 2) In case of the need to subcontract, NITA-U shall review and approve of such arrangements 3) The electronic evidence and other related records are the property of the information owners but may be retained by the consultant and should be made available for review upon request. The retention period for electronic evidence and other related records shall be seven year. 4) English shall be the language of communication for all legal documents 5) For each assignment, a proposal shall be submitted that must contain a brief and clear methodology to be used to accomplish the assignment at hand 6) Management team member presence shall be required for briefing and/or debriefing. 7) The firm and its staff shall maintain confidentiality regarding any information obtained in connection with the computer forensic services undertaken on behalf of NITA-U 5.4 LOT4: DRLS: Compliance Assessments and Audits 5.4.1 Background As the Authority for Information Technology, NITA-U is required to regulate the Information Technology (IT) sector which includes public and private entities/persons and in particular to regulate IT education, IT professionals and IT service providers. Specific laws have been passed by Parliament to wit: The Electronic Transactions Act, 2011, The Electronic Signatures Act, 2011 and their underlying regulations; and the Computer Misuse Act, 2011. These laws were passed in order to facilitate, and provide assurance on the authenticity of, e-transactions and guard against the abuse of computer systems. Additional regulations are currently being drafted to further operationalize the NITA-U Act. In addition to the above mentioned laws, Government Consultancy Services Framework Contracts Version 1.0 16 P age

Directives on IT and IT Standards that NITA-U issues from time to time together form the legal framework. These laws apply to the service providers as well as the users of IT products and services who are expected to abide by them. It is imperative therefore that NITA-U monitors adherence to these laws or other laws and Directives that may be passed/issued from time to time. NITA-U may choose to do this using in-house expertise or engage third party experts for support. 5.4.2 Description of assignment 1) Global objective 1.1 To achieve the objective of Government in setting up NITA-U, which includes; The implementation of the NITA-U Act, the IT laws, Cabinet Directives and laws passed from time to time. To achieve efficiency and effectiveness in service delivery by Government. To facilitate the provision of quality IT products and services to consumers. Growth and development of the IT sector that translates in socio economic development for the nation. 1.2 Monitor compliance by the Authority, management, employees and stakeholders in the Information Technology (IT) Sector with IT Laws, Regulations, Standards, Directives, Policies, Procedures and other relevant Laws (collectively, IT laws/the legal framework) in order to ensure the delivery of government objectives for regulating the IT sector. 2) Specific objective(s) The consultant(s) will be required to conduct compliance assessments and or audits to determine the level of compliance of the target group/entity, and in particular; Conduct compliance assessments in order to provide management and the Board with assurance that the IT laws are being complied with. Identify compliance gaps within the entity assessed and make appropriate recommendations for addressing those gaps including the establishment of necessary controls. Follow up on progress with resolution of the compliance gaps identified, where requested by NITA-U. Consultancy Services Framework Contracts Version 1.0 17 P age

3) Requested services The Consult will be required to provide the following services. Conduct compliance assessments and or audits as assigned by NITA-U from time to time. Provide timely reports to NITA-U on the results of the assessments and or audits. Where required, conduct follow up reviews to check that review recommendations have been actioned. 4) Required outputs It is expected that following the engagement of the consultant for a specific assignment, the following should be the outputs. Compliance assessments and or audits conducted as assigned by NITA-U. A duly completed report issued in accordance with NITA-U terms of reference. Timely conduct of follow up reviews requested by NITA-U. 5.4.3 Experts profile or Expertise required 1) Number of requested experts per category and number of man-days per expert or per category. Category: Compliance with requirements under the IT legal framework. Number of required experts: 1 (one) expert Number of man-days per expert: 20 working days NB: The above will depend on the nature and scope of assignment to be undertaken and will be determined before engagement of the consultant. 2) Profile per expert or expertise required: a. Category and duration of equivalent experience Demonstrated knowledge of IT laws and practices. At least 5 (five) years experience in monitoring and evaluation work in the IT field and evidence of a minimum of 5 assignments successfully completed for a large organization or Government. Consultancy Services Framework Contracts Version 1.0 18 P age

b. Education As a minimum: Master s or Honours degree in IT, Accounting or other relevant fields, with skills in compliance audits. Masters or Honours degree in Law. Possession of professional qualifications in IT will be an added advantage. Accreditation and certification in IT will be an added advantage. Formal training in monitoring and evaluation will be an added advantage c. Experience Evidence of similar assignments undertaken and successfully completed for a minimum 5 (five) large organizations or Government departments. d. Language skills Proficiency in the English language. Minimum required skills must be clearly identified. Excellent knowledge of the IT laws and overall IT regulatory environment. Sufficient technical expertise in IT, audit and the conduct of compliance assessments. Excellent report writing skills 5.4.4 Location and duration 1) Starting period At the start of the Quarter, to be undertaken 4 (four) times in a financial year or as may be determined by management from time to time. 2) Foreseen finishing period or duration Each assignment should last no later than 20 working days. 3) Planning including the period for notification for placement of the staff No less than 10 working days before commencement of an assignment. Consultancy Services Framework Contracts Version 1.0 19 P age

4) Location(s) of assignment The assignments will be conducted onsite at the premises of the entity being assessed. However, a combination of onsite and offsite assessments may be adopted as deemed appropriate for the achievement of the objectives of the assignment. NB: the duration of the assignment may vary based on the scope of the assignment but NITA-U reserves the right to determine the assignment scope and duration. 5.4.5 Reporting 1) Content As a minimum requirement, the report should contain the following: An acknowledged receipt of the engagement letter issued to the entity assessed in accordance with clause 5.4.4 (3) above. 2) Language The report as well as any annexures thereto shall be written in the English language. 3) Submission/comments timing The draft report should be issued within 5 (five) working days from the 20 th day referred to under 5.4.4 (2) above. 4) Number of report(s) copies A minimum of 3 reports spiral bound with appropriate stationery. 5.5 LOT 5: DRPD: Research and Innovation Services 5.5.1 Background Under Sections 5(l) and (o) of the NITA-U Act respectively, NITA-U has the mandate to provide information management services through acting as a records management facility and information depository and also to undertake and commission research as may be necessary to promote its objectives. In execution of its functions under Section 19, NITA-U is required to conduct Consultancy Services Framework Contracts Version 1.0 20 P age

Information Technology (IT) surveys. In addition, Section 23 of the Act authorizes NITA-U to disseminate any information collected from a survey. NITA-U shall in performing above functions, consult and cooperate with other Institutions/organizations with functions related to, or having aims or objectives related to IT Research & Innovation Services. Section 32(2) of the NITA-U Act 2009 (Relationship with other Organization) mandates NITA-U to delegate any of its functions under the Act to any organization. In light of the above, NITA-U is seeking suitable individuals, firms/ companies to deliver upon specified IT Research and innovations services whenever need arises 5.5.2 Description of assignment 1) Global objective The global objective of this assignment is to strengthen the capacities of NITA-U in fulfilling her respective pre-accession roles and functions. 2) Specific objective(s) To provide IT Research and Innovation services being sought after include but not limited to; a) Conducting IT Surveys b) Conducting research on emerging technologies c) Development of a comprehensive IT Research & Innovation System d) Developing research project proposals (needs assessments, appraisals, and pre project studies) in line with the authority s strategic plan; e) Software applications and database development 3) Required outputs Outputs required will be structured/stated according to the service need/request 5.5.3 Experts profile or Expertise required 1) Qualifications a) A Minimum of a Bachelor s Degree in Computer Science, Information Technology, Information Systems, Statistics or their equivalent; b) A Master's Degree in Computer Science, Information Technology, Information Systems, Software Engineering or a closely related field is a requirement; c) Professional/ Industry IT Certification such as ITIL, MCSE,CISSP, CISM, CGEIT, CRISC, PMP etc. are an added advantage; Consultancy Services Framework Contracts Version 1.0 21 Page

d) Certification in Research Administration such as Certified Research Administrator (CRA) is an added advantage. 2) Experience a) A minimum of Five years proven and demonstrable experience in IT Research and Innovation in a reputable Public or Private Organization; b) Experience researching and recommending technical solutions related to Information Technology; c) Experience managing technology or software development projects; supervising professional or management staff; preparing and managing a variety of complex information technology related operations; setting goals, priorities and strategies for computer system security and other technical solutions; d) Experience in establishing procedures and implementing processes; analysing functions and practices to improve effectiveness; using technology for research and development efforts; and facilitating group processes; e) Knowledge of emerging technologies; systems integration and infrastructure; project implementation strategies; and research and development strategies; 5.5.4 Location and duration Starting periods and finishing period or duration will be appropriately communicated along with the location(s) of assignment 5.5.5 Reporting The medium of communication for the assignment shall be English. The consultant will produce the documents and Reports in both electronic and hard copy formats, as Microsoft Word documents, and submit them to the NITA-U. The nature of the reports shall include; a) Inception report that should outline the details of the approach, methodology, work plan (including budget) and the timeline for all the activities in project scope. b) Periodic report on project progress and budget exhaustion. (Daily/Weekly/Monthly) c) Final report as per indicated in the project timeline. The work plan should specify the management structure as well as the responsibility of each member of the team, including the main contractor and/or sub-contractors. The work plan should include a list of detailed tasks to be performed, with clear and realistic phases and milestones. Resources should be clearly associated to each task. Consultancy Services Framework Contracts Version 1.0 22 P age

On the basis of reporting, mentioned above the consultant should closely work under the guidance of the head of department Research and Innovation who is responsible for planning, executing and monitoring the project as per the contract agreement with NITA-U. 5.5.6 Administrative information 1) In case of the need to subcontract, NITA-U shall review and approve of such arrangements 2) English shall be the language of communication for all legal documents 3) For each assignment, a proposal shall be submitted that must contain a brief and clear methodology to be used to accomplish the assignment at hand. 5.6 LOT 6: DTS: Technical Services 5.6.1 Background The Directorate of Technical Services is mandated under the NITA U act to foster the development of the following functions of the NITA U Act: a) Provide first level technical support and advice for critical Government information technology systems including managing the utilisation of the resources and infrastructure for centralised data centre facilities for large systems through the provision of specialised technical skills; b) Identify and advise Government on all matters of information technology development, utilisation, usability, accessibility and deployment including networking, systems development, information technology security, training and support; c) Create and manage the national data bank, its inputs and outputs; and d) Provide guidance on the establishment of an infrastructure for information sharing by Government and related stakeholders. 5.6.2 Description of assignment a) Specific objective(s) The consultant(s) will be required to provide advisory services to and on behalf of NITA U in relation to its mandate as the IT advisory and implementation arm of Government. The Directorate of Technical Services provides IT Services to Ministries Departments and Agencies. The directorate would therefore like to Consultancy Services Framework Contracts Version 1.0 23 P age

engage suitable qualified professionals to provide the above services on behalf of NITA U. b) Requested services The Consult will be required to provide the following services. Provide Technical Advice in relation to the provisioning of IT Services for Ministries Departments and Agencies with the specific goal of enabling the delivery of optimized and rationalized IT services from NITA - U; developing Conduct compliance assessments and or audits as assigned by NITA-U from time to time. Provide timely reports to NITA-U on the results of the assessments and or audits. Where required, conduct follow up reviews to check that review recommendations have been actioned. c) Required outputs The Consultancy firms shall be required to undertake all required activities from project planning until closure; and follow the National IT Project Management Methodology or any applicable guidelines. Companies will work under the guidance of IT Services Department in the Directorate of Technical Service. Contracted firms will be expected to present a list of key resources categorized based on their experiences in various IT specialized areas including IT Solution experts, Systems Analysts, Business Analysts, Information Security experts, that are detailed in attached Terms of Reference, at all levels including senior management, middle management and entry level positions. 5.6.3 Experts profile or Expertise required The consultants firms should comprise of network specialists, systems specialists, and Infrastructure Specialist and IT Services Delivery specialists with the following qualifications and job experience: a) Network Specialist The specialist shall possess network planning, management, supervision and maintenance of large Next Generation Networks Enterprise Wide Area Networks, Network Operating Centres (NOCs) and any LAN, MAN or WAN infrastructure. The Network Specialists will be required to perform the following: Consultancy Services Framework Contracts Version 1.0 24 P age

- Planning, Design, implementation, testing and maintenance of Network Infrastructure; - Supervision of the systems administration and maintenance of DWDM, SDH and optical switching networks that is being implemented and maintained by NITA U; - Design and implement security controls for MDA LAN and WAN infrastructure; - Monitoring and implementation of these to ensure that the performance targets are met; - Manage network performance and recommend adjustments to wide variety of complex network management functions; - Monitor and ensure availability of the Network for it to be operational at all times; - Proactively investigate problems that may affect Network availability and take actions to resolve them; - Monitor Network security, deployment of IOS software upgrades, and enforce Network licence agreements; - Review and manage service agreements ensuring maximum productivity on all running SLAs; and - Recommend and implement policies, standards and documentation procedures related to the NOC operation procedures. Qualifications and Competencies - Bachelor s Degree in Computer Science, Information Systems, Information Technology, or Telecommunications Engineering; - Master s Degree in any IT related field; - Five years Experience in the design, implementation and management of Networks in a large enterprise. - Professional certifications such as CCDA, CCNA, CISSP, MCSE, etc, will be an added advantage. - Demonstrated project management and communication experience will be required. b) OFC Specialists The OFC shall provide services in the field of maintenance of the optical switching networks deployed; oversee the development of the Optical Fibre networks and quality assurance of OFC implementations. The OFC Specialists will be required to perform the following: - Systems administration and maintenance of DWDM, SDH and optical switching networks; Consultancy Services Framework Contracts Version 1.0 25 P age