The African Regional Intellectual Property Organization (ARIPO) is an Intergovernmental Organization created in 1976 under the Lusaka Agreement concluded under the auspices of the United National Economic Commission for Africa (ECA) and the World Intellectual Property Organization (WIPO). Membership in the Organization is open to all African Union members (AU) states. Presently, members of the Organization include Botswana, Cape Verde, The Kingdom of Eswatini, The Gambia, Ghana, Kenya, The Kingdom of Lesotho, Liberia, Malawi, Mauritius, Mozambique, Namibia, Rwanda, Sao Tome and Principe, Seychelles, Sierra Leone, Somalia, Sudan, Uganda, United Republic of Tanzania, Zambia, and Zimbabwe. (Total: 22 states).
As an ongoing effort by ARIPO to improve controls, ensure efficient use of Information Technology (IT) systems and alignment of its IT strategies with business strategies, ARIPO seeks to engage a professional service provider to conduct an independent IT audit of its IT infrastructures, systems, and environment, report any significant issues or key findings, and make practical recommendations to address the control deficiencies and risk mitigation strategies.
- Objective of the assignment
This bid aims to appoint a suitably qualified and experienced service provider to provide an independent evaluation of Applications, Database, Server Architecture and Network infrastructure to identify any gaps in systems and an adequate IT security framework in accordance with best practices of the Enterprise Architecture Framework. The scope would include assessing ARIPO’s applications, security settings, server, Network and associated IT infrastructure. The main goals of the security audit are the following:
- State of affairs report: To review the overall application and network technical design and deployment with a view to determine whether these designs are fit for purpose and what gaps and holes exist within these designs and deployments.
- Application software architecture review: To provide assurance that the technical architecture of all the operational and ancillary applications meets the current and future needs of the organization. The auditor must assess control and authorizations; error and exception handling; business process flows within the application software and complementary controls (enterprise level, general, application and specialist IT control); and procedures and validation of reports (both operational and financial) generated from the system.
- Network architecture and security review: Given that the environments that ARIPO operates in possess different policy frameworks dictating the storage and transmission of IP and financial data, the consultant will perform a network and data transmission security audit to outline the threats and gaps that are presented by this. This audit aims to provide assurance that the components of deployments (databases, web and application servers, cache systems, along with other systems) are fully secure and correspond to the controls objectives of the control system. Review of internal and external connections to the system, perimeter security, firewall review, router access control lists, port scanning and intrusion detection are some typical areas of coverage.
- Data integrity review: To provide assurance that the database design and structure provide the best possible design for the organizational needs and corresponding application and future integration needs. The purpose is to scrutinise live data to verify the adequacy of controls and the impact of weaknesses thereof.
- Business continuity review: The review includes the existence and maintenance of fault-tolerant and redundant hardware, backup procedures and storage, documented and tested disaster recovery/business continuity plan, the effectiveness of disaster recovery plan, and ensuring the existence of a well-defined Information System (IS) Audit manual and its compliance thereon.
- Scope of work and deliverables
Scope of work
The successful service provider will be expected to deliver, amongst others, a comprehensive Digital Applications, Information Systems Security Audit, which must cover various key processes and procedures:
- Penetration testing and vulnerability assessment
- Application software architecture analysis
- Scaling and expansion options and policy framework
- Data integrity audit
- Security& Privacy policies
- Business continuity assessment
- Change Management procedures
- Logical Access Controls
- User Management and Security audit
- Performance, Scalability and availability audit
- Consistency with requirement specification audit
- Incident management
- Backup practices
- Software Document Management
Deliverables
The consultant will be required to provide the following deliverables:
- State of affairs report
- Application software architecture audit report
- Data integrity audit report
- Business continuity audit report
- Network security audit report
- Backup practices report
- Inception report
- Draft Gap Analysis report, with recommendations, and
- Final Comprehensive report
- Reporting Requirements
The service provider shall report to the Director General through the Head of Internal Audit, who acts as the contact person for ARIPO.
- Duration of the Assignment
The assignment is tentatively set to start on 14 October 2022, and the assignment should be completed by 31 December 2022.
- Required Technical Expertise
For undertaking the assignment, the consultant should:
- Be a registered firm.
- Have a track record of similar assignments in the Public Sector or related institutions. (Indicate years of experience)
- Provide the qualifications, experience, and professional competencies in information and communication technology or computer science.
- Provide a detailed explanation of the methodology and project implementation plan, which details how the service will be carried out as outlined in the scope. The project plan must have deliverables and timeframes.
- Provide contactable positive references from clients where projects were executed in a similar environment.
- Assessment Criteria
Proposals will be assessed based on the following criteria:
- Understanding of the scope of work
- Methodology for undertaking the assignment
- Evidence of undertaking similar work for large-scale organizations
- Qualifications and experience of the lead consultant and the team members who will be working on the project
- Consultancy fees
- Submission of Proposals
Interested companies/firms which are invited to submit their proposals detailing capabilities, experience, and a list of completed and ongoing similar assignments on or before Monday, 26 September 2022, before 1100 hours. No late submissions will be accepted. Proposals clearly marked “ATIN:2022/08/ITSECURITY-AUDIT-SERVICES/10” should be addressed to:
The Director General
African Regional Intellectual Property Organization (ARIPO)
11 Natal Road, Belgravia
P O Box 4228
Harare, Zimbabwe
E-mail: procurement@aripo.org