ANNEX B. Terms of Reference. CTBTO Information Security Management System Support on Call-off Basis



Similar documents
ISO Information Security Management Services (Lot 4)

The Preparatory Commission for the Comprehensive Nuclear-Test-Ban Treaty Organization, hereinafter Commission ;

Security Control Standard

AN OVERVIEW OF INFORMATION SECURITY STANDARDS

COMPREHENSIVE NUCLEAR-TEST-BAN TREATY PREAMBLE. The States Parties to this Treaty (hereinafter referred to as "the States Parties"),

DIGITAL FORENSICS AND CYBER INCIDENT RESPONSE SERVICES

IT Security. Securing Your Business Investments

Domain 1 The Process of Auditing Information Systems

Security audit advice For holders of all remote gambling operator licences including specified remote lottery licences

Terms of Reference for an IT Audit of

ICT and Information Security Resources

NSW Government Digital Information Security Policy

Request for Proposal (RFP) PUR1412/19

Director, IT Security District Office Kern Community College District JOB DESCRIPTION

Using Information Shield publications for ISO/IEC certification

Cyber Security Consultancy Standard. Version 0.2 Crown Copyright 2015 All Rights Reserved. Page 1 of 13

Effective Defense in Depth Strategies

Spillemyndigheden s Certification Programme Information Security Management System

Dates Venue Meeting/Event Target audience/participants Descriptions (Objectives, Deliverables, etc.) Lead Division(s) IDC

TERMS OF REFERENCE FOR CERTIFICATION BODIES (CBs)

The new Family of Standards & ISO/IEC 27001

Client information note Assessment process Management systems service outline

PCI DATA SECURITY STANDARD OVERVIEW

Information Security Awareness Training

Malta Resources Authority Millennia, Aldo Moro Road, Marsa MRS 9065 Malta Telephone: (356) Fax: (356) Call for Quotations

MINISTRY OF FINANCE, PLANNING AND ECONOMIC DEVELOPMENT THE THIRD FINANCIAL MANAGEMENT AND ACCOUNTABILITY PROGRAMME (FINMAPIII) TERMS OF REFERENCE

We are Passionate about Total Security Management Architecture & Infrastructure Optimisation Review

SCOTTISH CENSUS INDEPENDENT SECURITY REVIEW REPORT

IT Heath Check Scoping guidance ALPHA DRAFT

CP14 ISSUE 5 DATED 1 st OCTOBER 2015 BINDT Audit Procedure Conformity Assessment and Certification/Verification of Management Systems

ANNEX A.1 TECHNICAL SPECIFICATIONS OPEN CALL FOR TENDERS F-SE-13-T01 WEB DEVELOPMENT SERVICES

An Overview of ISO/IEC family of Information Security Management System Standards

Market Data + Services. Advanced outsourcing solutions. IT Hosting and Managed Services

foresightconsulting.com.au

Information System Audit Guide

Information Security Officer (# 1773) Salary: Grade 25 ($81,808-$102,167) / Grade 27 ($90,595 to $113,141) Summary of Duties. Minimum Qualifications

TfNSW Standard Requirements TSR T Technical Management

GUIDE 62. General requirements for bodies operating assessment and certification/registration of quality systems

ISO27001 Controls and Objectives

HKCAS Supplementary Criteria No. 8

Asset Management Systems Scheme (AMS Scheme)

CESG Certification of Cyber Security Training Courses

Managing internet security

Spillemyndigheden s Certification Programme Change Management Programme

ANNEX A.1 TECHNICAL SPECIFICATIONS OPEN CALL FOR TENDERS F/SE/10/07. Provision of MS Dynamics CRM Consultancy Services

Polish Financial Supervision Authority. Guidelines

G-Cloud III Services Service Definition Accenture Cloud Security Services

MANAGED SECURITY SERVICES

Management of Information Systems. Certification of Secure Systems and Processes

Service Children s Education

TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS

STL Microsoft Dynamics CRM Consulting and Support Services

NSW Government Digital Information Security Policy

ediscovery G-Cloud V Service Definition Lot 4 SCS Contact us: Danielle Pratt Tel: G-Cloud@esynergy-solutions.co.

IRAP Policy and Procedures up to date as of 16 September 2014.

Information Security Specialist Training on the Basis of ISO/IEC 27002

C015 Certification Report

<cloud> Secure Hosting Services

NABET Criteria for INFORMATION SECURITY MANAGEMENT SYSTEMS (ISMS) Lead Auditor Training Courses

ISO/IEC 17021:2011 Conformity assessment Requirements for bodies providing audit and certification of management systems

ISO 27001:2005 & ISO 9001:2008

This is a preview - click here to buy the full publication

GCloud 7 Hybrid Cloud Management Service- Service Description Issue 1

Information Security Management Systems

Practitioner Certificate in Information Assurance Architecture (PCiIAA)

Recommendations for companies planning to use Cloud computing services

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

Information security controls. Briefing for clients on Experian information security controls

ETSI TS V2.1.1 ( )

INFORMATION TECHNOLOGY MANAGEMENT CONTENTS. CHAPTER C RISKS Risk Assessment 357-7

Land Registry. Version /09/2009. Certificate Policy

NATO GUIDANCE ON THE USE OF THE AQAP 2000 SERIES

TRANSPORT FOR LONDON (TfL) LOW EMISSIONS CERTIFICATE (LEC) GUIDANCE NOTES FOR THE COMPANY AUDIT PROCESS. LEC (Company Audit) Guidance Notes

Request for Proposal For: PCD-DSS Level 1 Service Provider St. Andrew's Parish Parks & Playground Commission Bid Deadline: August 17, 2015 at 12 Noon

An Approach to Records Management Audit

General Rules for the certification of Management Systems

Terms and Conditions of Use - Connectivity to MAGNET

CACI Cloud Consulting Services

Information Security Management Systems

COMMON CERTIFICATE POLICY FOR THE EXTENDED ACCESS CONTROL INFRASTRUCTURE FOR PASSPORTS AND TRAVEL DOCUMENTS ISSUED BY EU MEMBER STATES

of 28 September 2007 (Status as of 1 April 2010)

ISMS Implementation Guide

CONSOLIDATED VERSION IEC Medical device software Software life cycle processes. colour inside. Edition

Transcription:

ANNEX B Terms of Reference CTBTO Information Security Management System Support on Call-off Basis

Table of Contents Acronyms 3 Introduction 4 Background 4 Objectives and Expected Results 5 Scope of Work 6 Deliverables and acceptance criteria 9 Requirements of the Contractor and its Personnel 10 Terms of Reference - CTBTO ISMS Support on Call-Off basis Page 2 of 10

Acronyms ISMS DHCP DNS LAN PTS IDC CISSP CISA CISM Information Security Management System Dynamic Host Configuration Protocol Domain Name System Local Area Network Provisional Technical Secretariat International Data Centre Certified Information Security Systems Professional Certified Information Systems Auditor Certified Information Systems Manager ISO/IEC International Standards Organization/ International Electrotechnical Commission NGO QA SOA DMZ CTBT Non-Governmental Organization Quality Assurance Statement of Applicability De-Militarized Zone Comprehensive Nuclear-Test-Ban Treaty Terms of Reference - CTBTO ISMS Support on Call-Off basis Page 3 of 10

1. INTRODUCTION The Preparatory Commission for the Comprehensive Nuclear-Test-Ban Treaty Organisation (hereinafter referred to as the Commission ) is the international organisation setting up the global verification system foreseen under the Comprehensive Nuclear-Test-Ban Treaty (hereinafter referred to as the CTBT ), which is the Treaty banning any nuclear weapon test explosion or any other nuclear explosion. The Treaty provides for a global verification regime, including a network of 321 stations worldwide, a communications system, an international data centre and on-site inspections to monitor compliance. The Headquarters and the International Data Centre (hereinafter referred to as the IDC ) of the Preparatory Commission are in Vienna (Vienna International Centre of United Nations). One fundamental task of the Commission s International Data Centre is to provide States Parties with equal, open, timely and convenient access to agreed products and services to support their national CTBT verification requirements. An integral component of the distribution mechanism is the use of web technology. To this end, the Commission is seeking a Contractor with the technical expertise, experience and resources to support the development of an ISMS framework based on ISO 27001:2005 International Security Standard and using the PDCA process improvement model. The Contract shall be for an initial period of one year. The Commission shall have the option to extend the Contract for an additional three consecutive periods of 12 months. 2. BACKGROUND The Commission has established an elaborate Information Systems Infrastructure hosting a myriad of key services. In order, to ascertain the security posture of this architecture, and subsequently develop a roadmap for security improvement, the Commission has recently awarded an Information Security Risk Assessment contract to an independent assessor to conduct detailed security reviews on its Information Systems Infrastructure. A key deliverable of the risk assessment assignment is a CTBTO Information Security Roadmap for security improvement. This will serve the Commission in its planning to augment its security posture, processes and procedures and by adopting security best practices, standards and procedures, in particular ISO/IEC 27001:2005 the de facto standard for Information Security Management. The Commission wishes to develop its Information Security Management System (ISMS) using a process improvement model Plan, Do, Check, Act (PDCA) Model, see figure 1 below. The Contractor shall be required to support the Commission in its pursuit in establishing this process improvement ISMS model. Terms of Reference - CTBTO ISMS Support on Call-Off basis Page 4 of 10

Interested Parties Interested Parties Security Expectations and Requirements Managed Information Security Figure 1: PDCA Model continual process improvement of the ISMS These Terms of Reference define the legal and technical framework of all related activities to be performed by the Contractor. 3. OBJECTIVES AND EXPECTED RESULTS The overall objective of this Contract is to develop a framework for information security management - ISMS. This shall be achieved by adopting a PDCA model for security improvement and applying best practices described in ISO/IEC 27001:2005. The Commission shall also adopt as a minimum and where applicable, the control objectives and controls described in ISO/IEC 27002 for security management. The expected overall result of this Contract is to examine the security requirements of the Commission, and develop a framework for continual security improvement. Specific results of this assignment shall include fully documented security procedures for the Commission which shall culminate in new or improved procedures for the following areas: Security Policy Organisation of Information security Asset management Human Resources Security Physical and Environmental Terms of Reference - CTBTO ISMS Support on Call-Off basis Page 5 of 10

Communications and Operations Security Access Control Software Development Information Security Incident Management Business Continuity Management Compliance 4. SCOPE OF WORK Information is a key business asset; the Commission has recognised this and is seeking to safeguard the confidentiality, integrity and availability of its information assets. The tasks under this Contract are categorised into two areas (Administrative and Technical controls) described in figure 2 below. Information Security Management Security policies, security awareness, compliance/ governance, standards, procedures, etc Firewall management, antivirus, access controls, monitoring, virtualisation, etc Administrative Controls Technical controls Figure 2: Information Security Management The first set of tasks will improve the administrative and governance framework for security management whilst the second set of tasks will review technical security measures that are applied to safeguard the Information Systems Infrastructure. These control measures shall complement each other in providing the required security and protection against unauthorised disclosure or access to information; details are provided in sections 6.1 and 6.2 respectively. 5. LEVEL OF EFFORT FOR THE SERVICES The services shall involve periods of work mainly on-site at the premises of the Commission in Vienna, Austria, as well as off-site at the premises of the Contractor. The Commission estimates the Contractor s work to perform to be 60 percent on-site Terms of Reference - CTBTO ISMS Support on Call-Off basis Page 6 of 10

at the Commission s Headquarters and 40 percent off-site at the Contractor s premises. The effort invested to perform the work shall be quantified in Contractor man-days. One (1) Contractor man-day represents the effort by one (1) personnel of the Contractor, invested during one (1) day in performing the work ordered. The Commission estimates that the work expected to be performed under the contract will require a level of Contractor s effort between 100 and 300 Contractor man-days on and off-site over a period of one year after the Contract s signature. However, the Commission shall not be obliged to purchase a minimum or a maximum number of Contractor man-days for the work to be performed under the contract. 6. WORK TASKS 6.1. Administrative Controls: Acquire the necessary knowledge, develop and establish a governance framework for the Commission s ISMS The Contractor may be requested to provide on-request services, which may include the following: Provide support in safeguarding the Commission s Information assets by maintaining confidentiality, integrity and availability of its critical assets; Review existing Information Security Policies, procedures and processes and make recommendations for improvements; Provide support in establishing ISMS controls documentation, implementation and maintenance; and make recommendations for ISMS procedures; Review corporate risk evaluation criteria and align with recommended best practice of organisations of similar structure and objectives as the Commission; Review, evaluate risks and make recommendations for improvements (where necessary) on the Commission s outsourcing policy on Information Systems; Review, evaluate risks and make recommendations for improvements (where necessary) on the Commission s open source policy on Operating Systems and software; Review existing Security and IT Infrastructure (including database architecture, networks, applications, web services, virtualisation, etc), align them with ISO 27001:2005 recommended practices and highlight areas for improvement; Terms of Reference - CTBTO ISMS Support on Call-Off basis Page 7 of 10

Provide guidance and support in rolling out the Information Security Roadmap for the Commission; Review the Commission s PKI Key management policies, procedures and processes and make recommendations for improvement; Organise and conduct training on information security disciplines 6.2. Technical Controls: Provide Support, documentation and technical security reviews The Contractor may be requested to provide on-request services, which may include: DMZ/Network Architecture Designs/Reviews Provide regular vulnerability assessments / security reviews on the Commission s IT Infrastructure (including firewalls, routers, servers, mail services, DNS, etc) Provide forensic review / assessment of computer incidents where necessary; Review the security arrangements on the Global Communications Infrastructure and make recommendations for improvement. 7. ORGANIZATION OF WORK 7.1 The Commission, upon signature of the Contract, shall convene a kick-off meeting in Vienna to agree on detailed procedures for initiating; developing requirements for approving, implementing, testing and accepting the Work Orders under sections 6.1 and 6.2 and deliverables under section 8. 7.2 The Commission will request the initiation of the Work in form of Work Orders. The Contractor shall not perform any work not requested by the Commission and defined in Work Orders. 7.3 The Work Order will be based on one or more tasks described in Work Tasks 6.1 and 6.2. Each work order will contain further definitions and description of the exact nature of the work to be completed. 7.4 Coordination (a) The Contractor shall report directly to a single nominated point of contact in Terms of Reference - CTBTO ISMS Support on Call-Off basis Page 8 of 10

the Commission. (b) The Contractor shall conform to the Commission s working hours (8 hrs/day) and days (Monday to Friday) when working on-site at the Commission s headquarters. (c) If requested by the Commission in a Work Order the Contractor shall participate in Contract performance meetings, which may be organized at the Commission s Headquarters in Vienna or at the Contractor s premises. During these meetings, planning and performance under the Contract, as well as any relevant topic related to thereto may be reviewed, discussed and recorded. 7.5 Upon receipt of a work order, the Contractor shall provide at minimum, the following information in response to the work order to be approved by the Commission prior to the commencement of any work: Work plan and proposal schedule to accomplish the work; Assumptions, constraints and key risks that could affect the task completion and methods to manage the risks; CV of Contractor s consultant(s) nominated to perform the work. All CVs submitted for prior approval must detail the consultant(s) nominated to perform such work. Subsequent change of personnel(s) accepted for duty shall occur only after obtaining prior approval by the Commission. Total cost for completion of the work order, including;- o Number of man-days to be allocated to the work; o Place of work (on-site / off-site); o Travel costs; o Commencement date and completion date of work. 8. DELIVERABLES AND ACCEPTANCE CRITERIA At the end of a particular work under the Work Order, the Contractor shall submit to the Commission the deliverable as stated in the respective Work Order together with a status report. Terms of Reference - CTBTO ISMS Support on Call-Off basis Page 9 of 10

8.1. Status report The status report shall summarise the work performed, number of Contractor s Personnel mandays used, authorised travel and subsistence cost for onsite work, and other important technical and managerial issues relating to the Contract. 8.2. Acceptance criteria The deliverable and the status report shall be in accordance with the requirements of the Contract and the applicable work order and their acceptance by the Commission shall be subject to the satisfactory completion thereof. The deliverable and the status report shall be the basis for invoicing and payment. 9. REQUIREMENTS OF THE CONTRACTOR AND ITS PERSONNEL The Contractor shall meet or exceed the following qualifications: Proven track record in designing and implementing projects in relevant technical field(s), preferably in advising large governmental organisations and/or NGOs on information security issues and leading them through establishing an ISMS; Proven track record of managing projects of a similar scope and complexity Proven track record of applying Project Management and Quality Assurance (QA) measures / methodology; The Contractor shall be sufficiently large and stable in order to guarantee the level of long term commitment and support to the services foreseen in these Terms of Reference; The Contractor shall provide three references for undertaking similar activities with other organisations. The Contractor s personnel assigned to this Contract shall meet or exceed the following qualifications: Experience in information security management using ISO/IEC 27001:2005 best practice procedures; Experience in leading development of an ISMS; Demonstrated security expertise with one or more of the following security certifications: CISSP, CISA, ISO/IEC 27001:2005 ISMS Auditor/Lead Auditor, CISM. Terms of Reference - CTBTO ISMS Support on Call-Off basis Page 10 of 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information