RFP – PROVISION OF INFORMATION COMMUNICATION AND TECHNOLOGY AUDIT AND REVIEW SERVICES 174 views0 applications

PLEASE NOTE: THIS CONSULTANCY IS ELIGIBLE TO CONSULTING FIRMS ONLY.

BIDS FROM INDIVIDUAL CONSULTANTS WILL BE DISQUALIFIED.

TERMS OF REFERENCE

PROVISION OF INFORMATION COMMUNICATION AND TECHNOLOGY AUDIT AND REVIEW SERVICES

1. INTRODUCTION

Micro-Enterprises Support Programme Trust (MESPT) is a Kenyan development organization established in 2002. MESPT’s overall objective is to promote economic growth, employment creation and poverty alleviation through enterprise development. This is achieved predominantly through support to the development of agricultural value chains whilst embracing and promoting the green growth and climate change agenda. Through its vision of building a more Prosperous Society, MESPT facilitates increased commercialization, decent employment and green transformation through targeted interventions in the selected value chains. The Trust is a multi-donor entity jointly founded by the Government of Kenya and the European Union who later relinquished their position to the Royal Danish Embassy in Kenya, Ministry of Foreign Affairs of Denmark (DANIDA). To learn more about MESPT, please visit www.mespt.org.

1. BACKGROUND

MESPT finalized its 2021-2025 midterm strategic review in quarter one of 2024. To ensure MESPT achieves its ICT goals as envisioned in the overall MESPT 2021-2025 strategy. We are seeking ICT audit consultants to audit ICT, report on the conclusions reached from the review and recommend suitable measures for rectifying any deficiencies identified to ensure MESPT can achieve its ICT strategic Objectives.

1. OBJECTIVE OF THE ASSIGNMENT

The objective of the assignment is to undertake an end-to-end audit of the organization’s ICT and ICT systems vis a vie future plans to identify future needs and gaps to facilitate planning for an effective organization.

Specific Objectives

The consultant will be expected to carry out and deliver on the following tasks:

1. Conduct a detailed review of the relevant literature including-ICT policies, ICT strategy, organization chart and make recommendations.
2. Hold consultations (face-to-face and/or virtual) with relevant stakeholders on methodologies and approaches for engagement
3. Review the following to determine if they are being done according to best practices. MESPT IT Governance, IT processes, Enterprise security, Business Continuity and infrastructure.
4. Explore threats, risks and opportunities
5. Review the website and newsletter dissemination system for opportunities for improvement and optimal effectiveness.
6. Presentation of findings to management and the Board.

The Scope of the Assignment

1. Review MESPT IT Governance.
   1. IT and Business alignment
   2. IT Policies
   3. IT organization structures, roles and responsibilities
   4. Human resources
   5. Information Security and IT risk management
   6. Budget Metrics and Controls
   7. Legal and Regulatory Compliance
   8. ICT strategy
   9. Any other governance aspect that has been left out
2. Review MESPT IT Processes.
   1. Vendor/Product selection
   2. Project management
   3. Change management
   4. Patch management
   5. Configurations controls
   6. Data restore and backup
   7. Support; helpdesk, incident response
   8. Service level management
   9. Vendor/third party management
   10. Software licensing
   11. Any other IT processes that have been left out
3. Review MESPT Enterprise Security.
   1. Security configuration management
   2. Identity and access management
4. User provisioning
5. Administrative access
6. Segregation of duties
7. Remote access
8. Third party access
9. Security penetration and vulnerability testing
10. Virus protection/detection
11. Intrusion detection and response
12. Review MESPT Business Continuity
    1. Business Impact Assessment
    2. Disaster Recovery Planning
    3. Disaster Recovery testing
    4. Any other Business Continuity aspect that has been left out
13. Review MESPT Infrastructure
    1. Operating Systems
    2. Database Structures
    3. Networks
    4. Hardware
    5. Locations
    6. Tools (Email, Messaging etc.)
    7. Any other infrastructure aspect that has been left out
14. Threats and vulnerability management
15. Security strategy and compliance
16. Security awareness and training
17. Physical security
18. Privacy and data protection
19. Any other enterprise security aspect that has been left out.
20. METHODOLOGY

It is recommended that for maximum value generation for this assignment, the consultant will adopt a participatory approach, this will be through collating and reviewing documents, carrying out interviews with relevant staff e.g. ICT staff, MESPT Managers, Board.

1. EXPECTED DELIVERABLES
2. Inception report for the assignment outlining approach/methodology and detailed workplan.
3. Share a draft report with information based on the literature review, physical review of the system and interviews with staff and the board
4. Detailed report with appropriate recommendations and implementation workplan.
5. Assignment Timelines

The duration of the assignment is 20 working days implemented over a period of two months from the time of signing the contract.

1. Qualification and Competencies
2. The firms experience with provision of Information technology and Information Security audit services (Minimum of 10 years).
3. The consultant must demonstrate experience in undertaking similar assignments with regards to ICT and Information Security audit by providing at least three references of such assignments in the last three years.
4. The Lead consultant must have.
   • A degree in Computer science, Information technology or Information Security.
   • A master’s degree from an accredited University in Computer science, Information Security or Information technology.
   • Knowledge of IT frameworks such as ISO 27001, NIST, COBIT etc.
   • Professional certification in both IT audit and Information Security. (CISA and CISM or CISSP) other additional certifications are an added advantage
   • 10 years’ experience and above in the Information Technology industry
   • Experience in ICT strategy development, review and advise to board members
5. The list of proposed staff by specialty. Qualifications of team members evidenced by professional certifications and CVs.
   • Computer science, Information Security or Information technology degree from an accredited University
   • Hold at least one professional certificate in IT audit or Information Security
   • Over 5 years’ experience in IT Audit
6. Proposed methodology work plan including timeframes. This entails the detailed project schedule that covers the project plan, schedule and resource allocation.
7. Any comments or suggestions on the terms of reference, a list of services to be provided by the client.

Notice to bidders on Technical Evaluation

• All bidders should indicate reference sites on ICT Audit of a similar nature and scope.
• Bidders Must meet all our requirements to be progressed to the financial evaluation.