Request for Proposal – Provision of ICT Infrastructure Security Assessment for MACRA

Consultancies

[swpm_protected for=”5-6-7″]

REQUEST FOR PROPOSAL (RFP)
ISSUE DATE: 31ST MAY 2024
PROVISION OF ICT INFRASTRUCTURE SECURITY ASSESSMENT FOR MACRA
PROCUREMENT REF: MACRA/IPDC/IT-ICTISS/2024/06/2

1. BACKGROUND
The Malawi Communications Regulatory Authority (MACRA) is responsible for ensuring the integrity, confidentiality, and availability of its communication systems. To uphold these responsibilities and protect sensitive data, MACRA requires a
comprehensive penetration testing exercise to assess the security of its systems, including several interconnected subnets. This exercise is crucial to identify potential vulnerabilities that could be exploited by malicious actors and to strengthen MACRA’s defenses against cyber threats. The testing will also ensure compliance with ISO 27001 regulatory standards, which involve simulating cyberattacks to find areas of non-compliance and associated vulnerabilities.

Additionally, the testing will incorporate compliance with ISO/EC 27034 for application security and ISO 27018 for protecting personal data in the cloud. It is against this background that MACRA intends to engage a consultant to carry out an ICT Infrastructure Security Assessment for the Authority.

2. OBJECTIVES FOR THE ASSIGNMENT
The main objective of this penetration testing exercise is to identify and evaluate vulnerabilities within MACRA’s systems and associated subnetworks.

2.1 Specific Objectives

  • Assess the security posture of MACRA systems.
  • Identify vulnerabilities that could be exploited by unauthorized actors.
  • Provide recommendations for remediation to enhance overall security.
  • Ensure compliance with relevant regulatory standards and best practices, including ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27034, and ISO 27018.
  • Enhance MACRA’s ability to detect, respond to, and recover from cyber incidents.
  • Simulate cyberattacks to identify areas of non-compliance with ISO 27001 and understand the impact of potential exploits.

3. SCOPE OF THE ASSIGNMENT
The following is the detailed scope for the assessment:

a) Assessment of Systems and Subnetworks
b) Vulnerability Identification and Exploitation
c) Security Controls and Configuration Review
d) Risk Assessment and Reporting
e) Post-Testing Analysis and Debrief

4. DELIVERABLES
The deliverables for the assignment include but not limited to the following:

a) Comprehensive Report:

  • Detailed report identifying vulnerabilities and their potential impact.
  • Documentation of the vulnerabilities discovered, including evidence such as screenshots, logs, and network diagrams.
  • An executive summary highlighting key findings and strategic recommendations.

b) Recommendations for Remediation:

  • Actionable recommendations for mitigating identified risks.
  • A detailed remediation plan to address vulnerabilities and enhance overall security posture.

c) Presentation for Senior Management:
summary of key outcomes and action points tailored for senior management and relevant stakeholders.

d) Training Materials:
Training materials and sessions for MACRA staff on cybersecurity best practices based on the findings and industry standards.

e) Technical Documentation:
Detailed technical documentation supporting the findings and remediation strategies.

5. QUALIFICATION AND EXPERIENCE OF CONSULTANTS
The penetration testing team should possess the following qualifications, skills, and experience:

a) Qualifications:

  • Certified Information Systems Security Professional (CISSP)
  • Certified Ethical Hacker (CEH)
  • Offensive Security Certified Professional (OSCP)
  • Certified Information Security Manager (CISM)
  • Certified in the Governance of Enterprise IT (CGEIT)
  • Certified in Risk and Information Systems Control (CRISC)

b) Skills, and Experience

  • Proficient in penetration testing methodologies and tools, such as Metasploit, Nmap, Burp Suite, and Wireshark.
  • Strong understanding of network protocols, operating systems, and web application security.
  • Ability to identify and exploit vulnerabilities in various systems and applications.
  • Knowledge of ISO/IEC 27001, ISO/IEC 27034 (application security), and ISO 27018 (personal data protection in the cloud) standards and requirements.
  • Experience with security frameworks such as NIST, COBIT, and ITIL.
  • At least 5 years of experience in conducting penetration tests and security assessments.
  • Demonstrated experience in assessing and securing complex network infrastructures.
  • Experience in preparing detailed technical reports and presenting findings to senior management.
  • Familiarity with compliance requirements and regulatory standards, including ISO/IEC 27001, ISO/EC 27034, ISO 27018, PCI-DSS, and GDPR.
  • Proven track record of improving organizational security posture through effective remediation strategies.

6. SELECTION METHOD
The consultant shall be selected in accordance with the Quality and Cost Besed Selection (QCBS) procedures as set out in the Public Procurement Guidelines. Consultants are therefore instructed to submit their proposals in two separate labelled envelopes, one for the Technical Proposal and another one for the Financial Proposals.

7. TERMS OF REFERENCE (TOR’S)
Interested consultants or their representatives may obtain detailed Terms of Reference TORs) upon written request through the following email: procurement@macra.mw

8. PROPOSAL SUBMISSION
Completed copies of proposals in sealed envelopes clearly marked “PROVISION OF ICT INFRASTRUCTURE SECURITY ASSESSMENT TO MACRA” should be submitted in two separate envelopes one marked “TECHNICAL PROPOSAL” and the other one marked “FINANCIAL PROPOSAL” and must be delivered to the following address:

THE CHAIRPERSON
Internal Procurement and Disposal Committee (IPDC),
Malawi Communications Regulatory Authority (MACRA)
Area 13
Green Heritage House
P.O. Box 30214
Capital City
LILONGWE 3
Malawi
207213
E-mail: procurement@macra.mw

9. PROPOSAL OPENING
Opening of proposals shall take place in the Boardroom at MACRA Offices, in Area 3, Green Heritage House, P.O.
Box 30214, Capital City Lilongwe 3 on Friday 28th June 2024 at 10:00 hours and bidder’s representatives and the general public who wish to attend the ceremony are most welcome.

10. MACRA is however, not bound to accept the lowest or any proposal but reserves the right to exercise choice of lowest evaluated, substantially responsive proposal and can cancel the procurement proceedings at any stage.

[/swpm_protected]