MINISTRY OF FINANCE, PLANNING AND ECONOMIC DEVELOPMENT THE THIRD FINANCIAL MANAGEMENT AND ACCOUNTABILITY PROGRAMME (FINMAPIII) TERMS OF REFERENCE IT SYSTEMS COMPLIANCE AND QUALITY ASSURANCE SPECIALIST 1.0 Background Government of Uganda (GoU) through the Ministry of Finance, Planning and Economic Development (MoFPED) has been implementing public financial management reforms in order to improve efficiency, transparency and accountability in the management of public resources as well as facilitate the standardization of accounting and reporting frameworks. These reforms have amongst others, involved implementation of computerized financial management systems in Ministries, Agencies, and Local Governments (MALGs). The implementation of these new systems is being undertaken in a phased manner and separate systems are being rolled out depending on the specific requirements of the government agency/sector. MoFPED has twin Datacenters connected to the MoFPED LAN, and over serial WAN links to MALGs. One of the Datacenters provides failover services. The key computerized financial management systems being used/ implemented in government include: 1. The Oracle based Integrated Financial Management System (IFMS) which has been implemented in mainly central government votes. This system comprises an Oracle Financials E-Business suite application (Oracle R12i Treasury Solution) and Oracle 11g database hosted on HPUX 3.2. Implementation of this system started in 2003 and the application has so far been extended to 89 MALGs. System architecture comprises decentralized data capture over a WAN with centralized data processing and storage at MoFPED Datacenters. 2. The midrange Integrated Financial Management System (IFMS2) which is being implemented in local government votes. Implementation has so far covered 26 local governments with plans to extend it to another 33 LGs in the financial year 2014/15. This system is built on distributed topology with periodic synchronization on a central platform at MoFPED Datacenters. The technologies used are Microsoft Dynamics Navision 2009 and Microsoft SQL 2008 Enterprise on Windows Server 2008 R2 Enterprise. 3. The Microsoft Dynamics Navision 2009 financial management system used by the 33 Foreign Missions. The system is built on a distributed topology, with manual periodic consolidation. 4. The Computerized Education Management and Accounting System (CEMAS) due to be implemented in Public Universities and Self-Accounting Tertiary Institutions. This will be on Microsoft Dynamics GP 2013 with CRM and Students, Academics and Human Resource Management functions. 1
The systems have several operational or planned interfaces include those with Bank of Uganda, Uganda Revenue Authority, Uganda National Examinations Board, the Intergrated Personnel & Payroll System, Commercial financial services providers, etc. PFM functions and services are also dependent on auxilliary systems that provide among others, support for communication, collaboration and reporting. These systems include mail exhangers and alert generators. Some of the support systems are critical for service delivery and information sharing tasks, e.g., User support and education; as well as for core business functions, e.g., authorisation and/or confirmation of EFT transactions. The auxilliary systems are centrally hosted at MoFPED Datacenters, and include IT operations and cyber security monitoring and administration tools. Due to the expanding roll-out of the computerised financial management systems across government, the specialised nature of IT systems security processes and considering the complexity and extended nature of government financial management operations, there is added need for strengthening the management over the computerised financial management systems. MoFPED now seeks to recruit an IT Systems Security Compliance and Quality Assurance Specialist with the consultant having significant responsibilities related to IT Systems Risk Management and Security Compliance. 2.0 Objective of the assignment To support the Accountant General s Office in review, development, oversight, monitoring and leadership of capacity building efforts for IFMS security management and quality assurance processes. In particular, the consultant will continuously appraise systems security set-ups for the applications and related infrastructure and advise management and other IT technical leads on required security enhancements and overall IT systems risk management measures. 3.0 Detailed assignment description The IT Compliance and Quality Assurance Specialist will be responsible supporting the establishment of an IT systems compliance unit and for reviewing, developing, and monitoring the Compliance and Quality Assurance regime for all computerized systems but with focus on the Oracle R12 E-Business Suite and Oracle 11g Database, and its supporting infrastructure. We are seeking a seasoned IT Compliance and Quality Assurance professional with in-depth experience of working with integrated financial management systems especially the Oracle e- Business Suite Applications R12 and related/supporting technologies. The Consultant will have responsibility for developing the strategy, delivery and operational monitoring of all IT financial management systems compliance and quality assurance monitoring activities. Tasks will include compilation and classification of financial management information assets; identification of threats and analyzing of risks to these assets; undertaking system vulnerability assessments; ensuring auditability of system; providing secure system baselines; 2
developing implementing and testing security system design; determining, analyzing and deciphering security requirements; assisting with audit activities related to PCI/security compliance; monitoring system security controls; implementing automation, alerts and correlation with regard to system security events; developing and promoting the security strategy for protecting financial information assets and integrating it with the wider security strategy. Specifically, the consultant will be required to perform the following duties:- 1. Provide technical security expertise and guidance to the architecture, network and application teams 2. Support the establishment of an IT Systems compliance unit in Accountant General s Office 3. Act as the advisor to IT and department functional operations teams on all enterprise IT Security initiatives 4. Support the execution of information security risk assessments along with internal and external auditors (OAG) for security and compliance issues 5. Report on the levels of IT compliance-related risks to appropriate levels of management and following up to ensure that such risks are appropriately managed 6. Lead the development, auditing and enforcement of IT Security Policies, Standards/Procedures for AGO managed systems and identify/advise on opportunities for improvement 7. Lead IT Technical staff in evaluating, selecting, installing and testing security hardware and software 8. Plan and implement information assets classification, threat and risk analysis and mitigation measures 9. Provide constraints covering - among others - standards and procedures to be used as templates in specification and procurement, and inspection and testing of IT/IS systems. 10. Lead the efforts for certification of IT based financial management systems to international standards in quality operations management e.g. ISO 9000, 27001, 27002 11. Review business requirements, functional specifications, and test cases to understand the functional and technical requirements of IT systems in order to test the application and verify those requirements are successfully met. 12. Ensure compliance with standards of the software development life cycle and follow strategies, plans and procedures within the development methodologies. 13. Provide and implement sets of minimum best practices, and verify implementation of all approved audit recommendations, e.g., segregation of duties, password rules, etc. 14. Manage performance & load testing, documentation, and bug triage with multiple business partners. 15. Review, develop and implement security policies that will be adapted in granting users access to the application, databases and operating system platform 3
In respect of the Oracle based IFMS, the consultant is expected to fulfil the following duties: 1. Review, test and deploy the database and security updates issued by Oracle 2. Generate and analyze security reports and logs, and make recommendations where appropriate. 3. Periodically monitor, review and make recommendations for the accessibility control for the application, databases and Operating system platform setups. 4. Oversee the definition, coordination and assignment of user security and Application responsibilities subject to the principle of segregation of duties 5. Ensure data confidentiality and privacy policies are adhered to in the test, training development and production environments. Review all database and application patch updates before deployment into the production environment. 6. Review the backup and recovery procedures in place and make recommendations. 7. Review the change control process and make recommendations 8. Review and monitor the audit trails both at database and application levels 9. Act as the subject matter expert supporting the Oracle EBS Security System Administration 10. On a periodic basis review existing application user roles, role hierarchies and policies related to user role access and make recommendations. 11. Secure baseline configuration items (databases, applications, OS) from an unauthorized changes through monitoring attempts and alerts 12. Periodically review database, application and operating system environment, including interfaces and recommend the necessary security tools. 4.0 Reporting Arrangements The consultant will functionally report to the Accountant General through the Commissioner Financial Management Services. The Consultant will work closely with the other IT Technical leads (Applications, Databases, Networks and OS), departmental heads, resident application support consultants and business users to ensure a robust, scalable and secure system operating in an appropriate risk management framework. The consultant will be required to prepare the following reports 1. Assignment inception report 2. Monthly/Quarterly performance reports 3. Annual performance reports 4. An end of assignment report within two weeks after completion of the activities in the work plan or completion of the contract, whichever comes first. 5.0 Key deliverables 1. Updated IT systems security policies and manuals 2. Adequate IT systems business continuity arrangements 3. Sound security practices for the IT Financial Management Systems and implementation of agreed key recommendations from security reviews 4. IT Systems Security Risk assessment reports and strategies for mitigation 5. Verifiably reduced vulnerability for the IT financial management systems 4
6. ISO certification for IT Systems and sound quality assurance measures for the development and usage processes of the IT financial management system. 7. An IT Systems Compliance Unit 8. Information Assets Classification and Risk Report 9. Essential cyber security procedures including Incident Response Procedure. 9.0 Duration The assignment contract will be for two years renewable based on need and upon satisfactory performance 7.0 Office tools and equipment Government will provide office space and facilities for the performance of the duties under this consultancy 8.0 Qualification requirements 1. An advanced degree in Information Technology, Computer Sciences or an equivalent professional certification. 2. Minimum of 8 years working experience in a computer related field, with at least 4 years directly served in information security and IT Compliance/audit including knowledge and skills in examining, evaluating and testing complex business IT processes and related controls 3. Professional certification in audit or security review for IT systems such as CISA, CISSP certification is a requirement 4. Experience with enterprise application architectures including ERP and CRM 5. Experience in Oracle e-business Suite Release R12. Oracle certified professional is a requirement. 6. Familiarity with Microsoft Operations Framework 4 (MOF4) is a requirement 7. Knowledge and experience of using Oracle database monitoring tools/utilities and grid control packs (Diagnostics, Tuning, Provisioning, Data masking, change control, configuration management etc.), and Microsoft SQL 8. Experience in formulating policy and developing/implementing new strategies and procedures 9. Expertise with Microsoft Dynamics will be an added advantage 10. Demonstrated experience in a leadership of a multi-skilled team 11. Good report writing and communication skillsincluding ability to read, analyze and interpret technical journals, financial reports and legal documents 12. Sound integrity and the ability to maintain a high level of confidentiality. 5