RFP for Provision of Independent Information Security Review System
UNOPS
RFP for Provision of Independent Information Security Review System
Request for proposal
Reference:
RFP/2022/44395
Beneficiary countries or territories:
Kenya
Registration level:
Basic
Published on:
28-Nov-2022
Deadline on:
11-Jan-2023 09:00 (GMT 0.00)
Description
Tender description: Provision of Independent Information Security Review System
IMPORTANT NOTE: Interested vendors must respond to this tender using the UNOPS eSourcing system, via the UNGM portal. In order to access the full UNOPS tender details, request clarifications on the tender, and submit a vendor response to a tender using the system, vendors need to be registered as a UNOPS vendor at the UNGM portal and be logged into UNGM. For guidance on how to register on UNGM and submit responses to UNOPS tenders in the UNOPS eSourcing system, please refer to the user guide and other resources available at: https://esourcing.unops.org/#/Help/Guides
Interested in improving your knowledge of what UNOPS procures, how we procure and how to become a vendor to supply to our organization? Learn more about our free online course on “Doing business with UNOPS” here
IMPORTANT NOTE: Interested vendors must respond to this tender using the UNOPS eSourcing system, via the UNGM portal. In order to access the full UNOPS tender details, request clarifications on the tender, and submit a vendor response to a tender using the system, vendors need to be registered as a UNOPS vendor at the UNGM portal and be logged into UNGM. For guidance on how to register on UNGM and submit responses to UNOPS tenders in the UNOPS eSourcing system, please refer to the user guide and other resources available at: https://esourcing.unops.org/#/Help/Guides
Interested in improving your knowledge of what UNOPS procures, how we procure and how to become a vendor to supply to our organization? Learn more about our free online course on “Doing business with UNOPS” here
This tender has been posted through the UNOPS eSourcing system. / Cet avis a été publié au moyen du système eSourcing de l'UNOPS. / Esta licitación ha sido publicada usando el sistema eSourcing de UNOPS. Vendor Guide / Guide pour Fournisseurs / Guíra para Proveedores: https://esourcing.unops.org/#/Help/Guides
First name:
N/A
Surname:
N/A
| Link | Description | |
|---|---|---|
| https://esourcing.unops.org/#/Help/Guides | UNOPS eSourcing – Vendor guide and other system resources / Guide pour fournisseurs et autres ressources sur le système / Guía para proveedores y otros recursos sobre el sistema |
80101507
-
Information technology consultation services
New amendment added #2: This amendment is for uploading the minutes of the Pre-bid meeting for the Request of Proposal referenced RFP/2022/44395; including the Annex 1- Evaluation criteria) and Annex 2- Clarification Questions raised by offerors in the eSourcing platform.
Edited on:
19-Dec-2022 20:33
Edited by:
webservice@unops.org
New clarification added: Dear UNOPS Procurement Team,Please find below the link with our clarification items for your review and response. Please refer to page 19 of the Annex 2 of the Pre-bid meeting minutes document for the questions and responses from UNOPSs as asked in the questionnaire.We also request your consideration for an extension based on the information requested in the clarification to enable us to provide a comprehensive response when you share the addendums/answers. The RFP has been extended until 11th Jan 2023.Thank you in advance and best regards,Bids Team.
Edited on:
19-Dec-2022 19:50
Edited by:
webservice@unops.org
New clarification added: What are the estimated lines of code for the ERP, CMS, and website application? And their supporting languages?ERP has 20K lines of code (including HTML) CMS has 14K lines of code (including HTML) Other components are about 4K lines of code. Languages: C# (.NET), JavaScript, HTML, XMLThe ERP and CMS are customizations of Microsoft Dynamics. The website uses WordPress for content management and has 3rd party plugins. Based on the requirement “Analyse test output and generate reports - the selected vendor should thereafter analyze both the information security control and process data collected and create a baseline for upcoming security audits.” Please elaborate on what type of baselines does UNOPS require the external ICT security vendor to create?Baseline refers to an existing state of technical and administrative controls.Does the ethical disclosure report required by UNOPS relate ethical disclosure to the general public or internal disclosures or general bug bounty programs?The ethical disclosure component simply refers to the ways disclosure of results would be managed:1) Internal audit where IPOA leads and selected company is helping develop the strategy, audit and test practices will be under non-disclosure and IPOA & UNOPS are receiving the report.2) External audit where ICTA leads and you are helping will be under Mandatory Reporting where anything that is detected will be reported to both ICTA and IPOA.3) 3rd party where selected company leads will be under non-disclosure where IPOA & UNOPS are the only orgs receiving the report. Please expound on all the components (servers, network devices, operating systems, and databases) involved in the case management system, ERP, and any other IT infrastructure supporting the IPOA operations that would form a part of the scope for this assessment.12x servers 5x SAN/NAS units 71x network equipment (routers, switches, firewalls, WLAN controllers, Wi-Fi APs, etc. About 300 end user machines About 500 ADS container objects
Edited on:
19-Dec-2022 19:48
Edited by:
webservice@unops.org
New clarification added: Web App Pentest: Could you please clarify the number of web applications, user roles and API's that would be subject to pentest's scope for this proposal.Web applications: 9User roles: 38APIs: 4 Vulnerability Assessment: Could you please clarify the total number of Private/ Internal IP addresses that would be subject to pentest.Public, 3x ISPs with /29 public addresses Private, about 250 networked devices per data center and about 30 per region Penetration Testing: Could you please clarify the total number of Public/ External IP addresses that would be subject to pentest.3x /29 Code Review: Could you please help us wih the approx lines of code (technology wise).38K lines of code (some of which is HTML). What will be execution mode , i.e. Onsite or Offshore/Remote is preffered?Onsite for any penetration testing, initial meetings, reports presentation and monthly progress reports (weekly will be online).
Edited on:
19-Dec-2022 19:44
Edited by:
webservice@unops.org
New clarification added: Dear Procurement Team, Hope this finds you well.Kindly advise if this is a restricted RFP for the companies invited. If not, can one register on your UNOPS portal and participate?This is an open competitive tender. Please register in UNGM and you will subsequently be able to respond to the tender in the UNOPS portal.Please check with your client IPOA and advise if there will be a conflict of interest in the event the company that does the security analysis/audit/consultancy/advisory gets to bid for the supply and implementation of recommended solutions.Please refer to paragraph 4 of Section I (Instruction to Offerors) on Offeror Eligibility):An Offeror shall not have a conflict of interest. A Offeror shall be considered to have a conflict of interest if:Paragraph 4 (2nd bullet point)An Offeror is associated, or has been associated in the past, directly or indirectly, with a firm or any of its affiliates which have been engaged by UNOPS to provide consulting services for the preparation of the design, specifications, and other documents to be used for the procurement of the goods, services or works required in the present procurement process;Therefore, the awarded bidder/s for the independent review (under this current RFP tender) will not be eligible to implement the recommendations/ solutions. The implementation is not part of the UNOPS project scope at this point in time.Please note that this response supersedes the response earlier published for the first and second questions.
Edited on:
19-Dec-2022 19:41
Edited by:
webservice@unops.org
New clarification added: Dear Sir/Madam,We have the following queries:1. Please provide inventory of all systems (number of assets, type of assets) that shall be in scope for the Cybersecurity Audit12x servers5x SAN/NAS units71x network equipment (routers, switches, firewalls, WLAN controllers, Wi-Fi APs, etc.About 300 end user machinesAbout 500 ADS container objects2. Provide number of sites that will be in scopeNairobi and Nakuru IPOA’s offices, traveling to Nakuru will be needed only during the initiation phase, and during penetration testing.3. Provide number of systems that are externally accessible from the systems3x ISPs with /29 public address each4. With regards to designing asssessment, test and audit strategies for UNOP's clients, please provide the number of clients that shall be in scope and their nature of business and also what is the expectation of deliverable for Design and validation of assessment, test, and audit strategies for UNOPS' clients for internal, external and 3rd party assessments/tests/audits.Single client, IPOA, policing oversight.5. With regards to this requirements ''Conduct or facilitate security audit - the selected vendor should conduct the first audit (3rd party) in the period 6 months after the conducted control/process assessment and should facilitate minimum 2 engagements with internal (IPOA) and external (ICTA) auditors conducted mid and late 2023.'' - This section is not clear. Our comprehension of the require is to conduct an audit for cyner risk for UNOP. Please clarify on the requirements. - First audit on the for which company is it applicable and why it is called a third party audiut control/process for which company. What is the expected deliverable for this section - What is the expected deliverable from the bidder with respect to facilitating engagement with IPOA and ICTA external auditorsThe general response to Question 5 above is: The contract has 5 specific parts:i. Design and validate assessment, test, and audit strategies with:1) Internal assessment, test & audit strategy (IPOA with successful bidder's help)2) External assessment, test & audit strategy (ICTA with successful bidder's help)3) Third party assessment, test & audit strategy (successful bidder)ii) Conduct security control testing with:a.Vulnerability assessment (successful bidder)b. Penetration testing (successful bidder)c. Log reviews (successful bidder)4) Synthetic transactions (successful bidder)5) Code review and testing (successful bidder)6) Misuse case testing (successful bidder)7) Test coverage analysis (successful bidder)8) Interface testing (successful bidder)9) Breach attack simulations (successful bidder)10) Compliance checks (successful bidder)iii. Collect security process data with:a. Account management (successful bidder)b. Management review and approval (successful bidder)c. Key performance and risk indicators (successful bidder)d. Backup verification data (successful bidder)e. Training and awareness (successful bidder)f. Disaster Recovery (DR) and Business Continuity (BC) (successful bidder)iv. Analyze test output and generate reports with:a. Remediation (successful bidder)b. Exception handling (successful bidder)c. Ethical disclosure (successful bidder)v. Conduct or facilitate security audit: a. Internal (IPOA with successful bidder mid and end 2023)b. External (beginning and end 2023, ICTA with successful bidder)c. Third-party (successful bidder)6. Please provide more insight on the number of components in scope for Case Management, ERP and website.12x servers5x SAN/NAS units71x network equipment (routers, switches, firewalls, WLAN controllers, Wi-Fi APs, etc.About 300 end user machinesAbout 500 ADS container objectsPlease note that this response supersedes the response earlier published for the first and second questions.
Edited on:
19-Dec-2022 19:39
Edited by:
webservice@unops.org
New amendment added #1: This amendment is for the Extension of bid closing date from 20 December 2022 to 11 January 2023.The clarifications document and the minutes for the pre-bid meeting will follow shortly..
Edited on:
19-Dec-2022 16:10
Edited by:
webservice@unops.org
New clarification added: Dear Bidders,Please note that we are finalising on the your clarifications/questions. Once the process is complete, we will upload the clarification document.In the meantime, the tender will be extended to close on 11 January 2023.Regards,UNOPS team
Edited on:
19-Dec-2022 11:43
Edited by:
webservice@unops.org
New clarification added: Dear Sir/Madam,We have the following queries:1. Please provide inventory of all systems (number of assets, type of assets) that shall be in scope for the Cybersecurity AuditThe list of all systes is as below:12x servers5x SAN/NAS units71x network equipment (routers, switches, firewalls, WLAN controllers, Wi-Fi APs, etc.About 300 end user machinesAbout 500 ADS container objects2. Provide number of sites that will be in scopeNairobi and Nakuru IPOA’s offices, traveling to Nakuru will be needed only during the initiation phase, and during penetration testing3. Provide number of systems that are externally accessible from the systems3x ISPs with /29 public address each4. With regards to designing asssessment, test and audit strategies for UNOP's clients, please provide the number of clients that shall be in scope and their nature of business and also what is the expectation of deliverable for Design and validation of assessment, test, and audit strategies for UNOPS' clients for internal, external and 3rd party assessments/tests/audits.Single client, IPOA, policing oversight5. With regards to this requirements ''Conduct or facilitate security audit - the selected vendor should conduct the first audit (3rd party) in the period 6 months after the conducted control/process assessment and should facilitate minimum 2 engagements with internal (IPOA) and external (ICTA) auditors conducted mid and late 2023.'' - This section is not clear. Our comprehension of the require is to conduct an audit for cyner risk for UNOP. Please clarify on the requirements. - First audit on the for which company is it applicable and why it is called a third party audiut control/process for which company. What is the expected deliverable for this section - What is the expected deliverable from the bidder with respect to facilitating engagement with IPOA and ICTA external auditorsa) The contract has 5 specific parts:i. Design and validate assessment, test, and audit strategies with:1) Internal assessment, test & audit strategy (IPOA with successful bidder's help)2) External assessment, test & audit strategy (ICTA with successful bidder's help)3) Third party assessment, test & audit strategy (successful bidder)ii) Conduct security control testing with:a. Vulnerability assessment (successful bidder)b. Penetration testing (successful bidder)c. Log reviews (successful bidder)4) Synthetic transactions (successful bidder)5) Code review and testing (successful bidder)6) Misuse case testing (successful bidder)7) Test coverage analysis (successful bidder)8) Interface testing (successful bidder)9) Breach attack simulations (successful bidder)10) Compliance checks (successful bidder)iii. Collect security process data with:a. Account management (successful bidder)b. Management review and approval (successful bidder)c. Key performance and risk indicators (successful bidder)d. Backup verification data (successful bidder)e. Training and awareness (successful bidder)f. Disaster Recovery (DR) and Business Continuity (BC) (successful bidder)iv. Analyze test output and generate reports with:1. Remediation (successful bidder)2. Exception handling (successful bidder)3. Ethical disclosure (successful bidder)v. Conduct or facilitate security audit:1. Internal (IPOA with successful bidder mid and end 2023)2. External (beginning and end 2023, ICTA with successful bidder)3. Third-party (successful bidder)b) see abovec) see aboved) see above6. Please provide more insight on the number of components in scope for Case Management, ERP and website.12x servers5x SAN/NAS units71x network equipment (routers, switches, firewalls, WLAN controllers, Wi-Fi APs, etc.About 300 end user machinesAbout 500 ADS container objectsThank YouRegards
Edited on:
19-Dec-2022 09:34
Edited by:
webservice@unops.org
New clarification added: Dear Procurement Team, Hope this finds you well.Kindly advise if this is a restricted RFP for the companies invited. If not, can one register on your UNOPS portal and participate?Please check with your client IPOA and advise if there will be a conflict of interest in the event the company that does the security analysis/audit/consultancy/advisory gets to bid for the supply and implementation of recommended solutions.Looking forward to your response.Kind regards, Bids Desk.1. This is an open competitive tender. Please register in UNGM and you will subsequently be able to respond to the tender in the UNOPS portal. 2. IPOA has confirmed that all the vendors that participate in this bid would still be eligible for any InfoSec bid issued by IPOA itself in future.
However, current UNOPS contractors and subcontractors that are working on the existing IPOA project are not eligible for this process as per UNOPS rules and regulations.
Edited on:
19-Dec-2022 09:17
Edited by:
LaszloG@unops.org