PLEASE NOTE: THIS CONSULTANCY IS ELIGIBLE TO CONSULTING FIRMS ONLY.
BIDS FROM INDIVIDUAL CONSULTANTS WILL BE DISQUALIFIED.
TERMS OF REFERENCE
PROVISION OF INFORMATION COMMUNICATION AND TECHNOLOGY AUDIT AND REVIEW SERVICES
- INTRODUCTION
Micro-Enterprises Support Programme Trust (MESPT) is a Kenyan development organization established in 2002. MESPT’s overall objective is to promote economic growth, employment creation and poverty alleviation through enterprise development. This is achieved predominantly through support to the development of agricultural value chains whilst embracing and promoting the green growth and climate change agenda. Through its vision of building a more Prosperous Society, MESPT facilitates increased commercialization, decent employment and green transformation through targeted interventions in the selected value chains. The Trust is a multi-donor entity jointly founded by the Government of Kenya and the European Union who later relinquished their position to the Royal Danish Embassy in Kenya, Ministry of Foreign Affairs of Denmark (DANIDA). To learn more about MESPT, please visit www.mespt.org.
- BACKGROUND
MESPT finalized its 2021-2025 midterm strategic review in quarter one of 2024. To ensure MESPT achieves its ICT goals as envisioned in the overall MESPT 2021-2025 strategy. We are seeking ICT audit consultants to audit ICT, report on the conclusions reached from the review and recommend suitable measures for rectifying any deficiencies identified to ensure MESPT can achieve its ICT strategic Objectives.
- OBJECTIVE OF THE ASSIGNMENT
The objective of the assignment is to undertake an end-to-end audit of the organization’s ICT and ICT systems vis a vie future plans to identify future needs and gaps to facilitate planning for an effective organization.
Specific Objectives
The consultant will be expected to carry out and deliver on the following tasks:
- Conduct a detailed review of the relevant literature including-ICT policies, ICT strategy, organization chart and make recommendations.
- Hold consultations (face-to-face and/or virtual) with relevant stakeholders on methodologies and approaches for engagement
- Review the following to determine if they are being done according to best practices. MESPT IT Governance, IT processes, Enterprise security, Business Continuity and infrastructure.
- Explore threats, risks and opportunities
- Review the website and newsletter dissemination system for opportunities for improvement and optimal effectiveness.
- Presentation of findings to management and the Board.
The Scope of the Assignment
- Review MESPT IT Governance.
- IT and Business alignment
- IT Policies
- IT organization structures, roles and responsibilities
- Human resources
- Information Security and IT risk management
- Budget Metrics and Controls
- Legal and Regulatory Compliance
- ICT strategy
- Any other governance aspect that has been left out
- Review MESPT IT Processes.
- Vendor/Product selection
- Project management
- Change management
- Patch management
- Configurations controls
- Data restore and backup
- Support; helpdesk, incident response
- Service level management
- Vendor/third party management
- Software licensing
- Any other IT processes that have been left out
- Review MESPT Enterprise Security.
- Security configuration management
- Identity and access management
- User provisioning
- Administrative access
- Segregation of duties
- Remote access
- Third party access
- Security penetration and vulnerability testing
- Virus protection/detection
- Intrusion detection and response
- Review MESPT Business Continuity
- Business Impact Assessment
- Disaster Recovery Planning
- Disaster Recovery testing
- Any other Business Continuity aspect that has been left out
- Review MESPT Infrastructure
- Operating Systems
- Database Structures
- Networks
- Hardware
- Locations
- Tools (Email, Messaging etc.)
- Any other infrastructure aspect that has been left out
- Threats and vulnerability management
- Security strategy and compliance
- Security awareness and training
- Physical security
- Privacy and data protection
- Any other enterprise security aspect that has been left out.
- METHODOLOGY
It is recommended that for maximum value generation for this assignment, the consultant will adopt a participatory approach, this will be through collating and reviewing documents, carrying out interviews with relevant staff e.g. ICT staff, MESPT Managers, Board.
- EXPECTED DELIVERABLES
- Inception report for the assignment outlining approach/methodology and detailed workplan.
- Share a draft report with information based on the literature review, physical review of the system and interviews with staff and the board
- Detailed report with appropriate recommendations and implementation workplan.
- Assignment Timelines
The duration of the assignment is 20 working days implemented over a period of two months from the time of signing the contract.
- Qualification and Competencies
- The firms experience with provision of Information technology and Information Security audit services (Minimum of 10 years).
- The consultant must demonstrate experience in undertaking similar assignments with regards to ICT and Information Security audit by providing at least three references of such assignments in the last three years.
- The Lead consultant must have.
- A degree in Computer science, Information technology or Information Security.
- A master’s degree from an accredited University in Computer science, Information Security or Information technology.
- Knowledge of IT frameworks such as ISO 27001, NIST, COBIT etc.
- Professional certification in both IT audit and Information Security. (CISA and CISM or CISSP) other additional certifications are an added advantage
- 10 years’ experience and above in the Information Technology industry
- Experience in ICT strategy development, review and advise to board members
- The list of proposed staff by specialty. Qualifications of team members evidenced by professional certifications and CVs.
- Computer science, Information Security or Information technology degree from an accredited University
- Hold at least one professional certificate in IT audit or Information Security
- Over 5 years’ experience in IT Audit
- Proposed methodology work plan including timeframes. This entails the detailed project schedule that covers the project plan, schedule and resource allocation.
- Any comments or suggestions on the terms of reference, a list of services to be provided by the client.
Notice to bidders on Technical Evaluation
- All bidders should indicate reference sites on ICT Audit of a similar nature and scope.
- Bidders Must meet all our requirements to be progressed to the financial evaluation.
Any clarifications should be sent to [email protected]
Responses to clarifications will be posted on the above link for all bidders to see. Bidders are encouraged to click on the link from time to time to check on any clarifications/responses posted.
CONDITIONS
- MESPT reserves the right to accept or reject any proposal.
- Any canvassing will lead to automatic cancellation of the submitted proposal.