Audit of Active Directory related risks and controls at CGIAR System

Transcription

1 Issued: November 2018 Request for Proposal Audit of Active Directory related risks and controls at CGIAR System A. Purpose CGIAR is a global research partnership for a food-secure future. CGIAR science is dedicated to reducing poverty, enhancing food and nutrition security, and improving natural resources and ecosystem services. Its research is carried out by 15 CGIAR centers in close collaboration with hundreds of partners, including national and regional research institutes, civil society organizations, academia, development organizations and the private sector. CGIAR research centers are independent legal entities. The CGIAR partnership is supported by the CGIAR System Organization that interacts on behalf of the Centers with the CGIAR Funders through their representative body, System Council. The System Management Board (SMB) is the governing body of the System Organization, and the System Management Office is responsible for the day-to-day operations of the System Organization. Additional information about the CGIAR is available at CGIAR Centers share the tenancy of Active Directory domain which is managed by a third-party provider. The System Organization holds a contract with the third-party provider on behalf of the CGIAR Centers. The SMB, through its Audit and Risk Committee (ARC) that has an oversight responsibility over cross-cgiar System risks and controls, requested CGIAR System Internal Audit Function (IAF) to conduct an assessment of the measures in place to manage risks around CGIAR Active Directory. The Active Directory audit/assurance review will aim to provide SMB with: an evaluation of the adequacy of the Active Directory implementation and management; and design of security controls; an independent assessment of the operating effectiveness of the security controls; actionable and feasible recommendations for improvements. B. What we are seeking We are currently seeking an experienced IT audit professional to conduct the assessment of the Active Directory governance, risks and controls including the configuration settings Page 1 of 6

2 established during Active Directory implementation, and the maintenance of this configuration during the life cycle of the Active Directory. Informed by a CGIAR System IAF Charter and the results of the audit 2018 Collectively managed ICT Systems, key responsibilities include, through assurance activities to: 1. Assess risks related to Active Directory including but not limited to: Disruption of computing services; Destruction of enterprise data; Disclosure of sensitive information, including identities, intellectual property, etc.; Reputational risk and loss of confidence by stakeholders due to disclosure of information or related publicity; Fines and penalties; Lost productivity due to inefficient security administration; Security breaches Third party failure. 2. Assess controls to manage the identified risks including but not limited to controls necessary to secure Active Directory infrastructure to support the servers and workstations within the enterprise focusing on the configuration controls relating to but not limited: Active Directory management; Secure Active Directory boundaries; Secure domain controllers; Physical security of the domain controllers; Secure domain and domain controller configuration settings; Secure administrative practices Third party provider management controls. 3. Make practical recommendations to make improvements for safe, efficient and effective use of Active Directory. 4. Scope excludes: Windows server configurations Workstation configurations Domain Name Service (DNS) management Controls at the Center level. 5. The work is to be delivered remotely drawing on the available technology to interact with relevant stakeholders, to review documents and systems days are allocated to this work including planning, field work and reporting. The Charter of the CGIAR System Internal Audit Function is attached at Appendix 1. Page 2 of 6

3 C. Deliverables and timeline Deliverables: Under the direction and overall guidance of the Head, CGIAR System Internal Audit Function: 1. By end November 2018, develop Terms of References for the engagement based on preliminary review of existing documents and interviews with responsible staff and managers. 2. By end December 2018, finish the audit activities according to the approved Terms of References of the engagement. 3. By mid-january 2019, deliver a draft audit report detailing audit findings, recommendations and agreed actions to improve controls relating to CGIAR Active Directory. 4. Hold weekly update meetings on the progress of work with the Head, CGIAR System Internal Audit Function. 5. Document work in audit software used by CGIAR System Internal Audit Function, MKInsight. Training will be provided. Timeline: 6. The consultancy is anticipated to begin by not later than end-november 2018 (and preferably earlier) and the duration of the assignment will be 20 working days of elapsed time. Most of the assignment work should finish by end D. Knowledge, skills, and abilities The ideal candidate will have a combination of the following: Education and Experience: Required Advanced university degree in IT or related field Professional qualifications CIA, CISA or equivalent At least 5 years post-qualification experience in IT risk assessment and auditing in a complex international organization setting Preferred Practical recent experience in IT infrastructure management and setting of IT security controls Key Technical Competencies: Requisite knowledge of Active Directory, its functionality, features, weaknesses and security good-practices Thorough understanding of best practices of third party management in the context of IT management Highly organized A goal-orientated approach to work Effective communicator in English Page 3 of 6

4 Education and Experience: Experience of conducting audits of similar scope Key Technical Competencies: Eligibility criteria for consultancy The following persons are not eligible to put forward a proposal: A spouse or family member of a current staff member or consultant of the CGIAR System Organization. Consultancy Details Home-based with remote working arrangements Virtual consultations are expected to be undertaken by Skype and/or through a portal. Access to the latter will be facilitated by the CGIAR System Internal Audit Function. Consultants are responsible for all tax liabilities arising from this assignment. Consultants are responsible for securing their own insurance arrangements. Evaluation and Selection Criteria Criteria for evaluation of proposals will be based on the following assessment: Narrative proposal (90% weighting) Quality and relevance of the technical proposal (refer section F. below) Required education and experience, and consideration of Preferred education and experience as an additional benefit Budget proposal (10% weighting) Clarity and relevance of the proposal costs (refer section F. below) Value for money as perceived by the contacting body in the context of operating in a not-for-profit context. The CGIAR System Organization will be the final arbitrator on the award of any consultancy contract based on submitted proposals without further submissions, clarifications, discussions or negotiations. Therefore, each proposal submitted by the closing date should already contain the bidder s best technical and budget terms. Page 4 of 6

5 E. Who we are CGIAR is a global research partnership for a food-secure future. CGIAR science is dedicated to reducing poverty, enhancing food and nutrition security, and improving natural resources and ecosystem services. Its research is carried out by 15 CGIAR Centers in close collaboration with hundreds of partners, including national and regional research institutes, civil society organizations, academia, development organizations, and the private sector. These 15 Centers have close to 10,000 staff based in over 50 countries. The CGIAR System Organization, which is an international organization headquartered in Montpellier, France, provides governance to the CGIAR System in collaboration with the System Council and has about 40 staff. The Organization is committed to cultivating a work environment that reflects teamwork, gender equality, and respect for diversity. We endeavor to foster a multi-cultural environment that is free of any form of harassment and discrimination; and that embraces and values individuals regardless of age, ethnicity, race, gender, national or social origin, marital status or any other form of personal identity. Please find more information about CGIAR at F. How to submit a proposal Please submit a narrative proposal and a budget proposal as two separate documents to smo-procurement@cgiar.org. Both documents can be attached to the same The narrative proposal must consist of no more than 10 pages (excluding annexes) using Microsoft Word or similar format. Font size must not be smaller than 11pt Arial normal. Margins should be set to the standard Microsoft A4 Normal setting. The format of the narrative proposal is set out in table 1 below. Table 1: Format of Narrative Proposal Contents Executive Summary, specifically setting out the merits of your proposal 1. Your understanding of our requirements (informed by completing comparable assignments) 2. Your suggested approach a. Approach to achieve the objectives of the assignment b. Your understanding of risks related to the circumstances specific to CGIAR in relation to Active Directory c. How you will maximize the value added and minimize effort/fees 3. Relevant Experience a. Education, experience and competencies with a minimum of 2 references who we may contact at our discretion Page 5 of 6

6 Contents b. Your knowledge and/or experience of CGIAR/its Centers, its Partners and the agriculture science sector or similar organizations 4. Reporting a. Timing and format of status updates including potential observations and leading practice suggestions b. Proposed work timelines 5. Other Information a. A statement disclosing any real, apparent or perceived conflict of interest in the delivery of the consultancy b. A statement of any fees earned from CGIAR/its Centers since 1 January 2017 to present 6. Appendices (any other/supplementary information you wish to submit) 2. The budget proposal must be presented using Microsoft Excel or similar format and consist of, at a minimum, the following line items: consultant time, resources, travel (if any). The budget must be presented in Euros. All proposals must be received no later than 12am, Montpellier, France local time on Friday 16 November Only electronically submitted proposals will be considered. Late proposals will not be considered. Enquiries on the consultancy may be submitted in writing only, addressed to smo-procurement@cgiar.org Responses will be provided within 1 working day of receipt. Page 6 of 6