Data Protection Consultant

TERMS OF REFERENCE (TOR)

1. Background, Objectives and Justification

The Institute for War & Peace Reporting (IWPR) is an independent not-for profit organisation that works with media and civil society to promote positive change in conflict zones, closed societies, and countries in transition around the world. As part of its program activities, IWPR, in partnership with the Global Network of Women Peacebuilders (GNWP), is implementing its initiative Building Resilience in the Eastern Neighbourhood (BREN), which is supported by the UK Government’s Integrated Security Fund (ISF).

IWPR’s BREN program seeks to strengthen the resilience of non-state actors, including marginalised communities, and enhance their ability to deliver transformative, inclusive, and sustainable contributions to peace, stability and security in Armenia, Azerbaijan, Georgia, and Moldova.

Civil society organisations (CSOs) in Armenia, Georgia, Moldova and Azerbaijan face a range of challenges and threats to their work. Various research carried out with the support of ISF (including BREN’s own research) indicates CSOs in the region are especially vulnerable to cyber-attacks, including data breaches and theft, due to lack of cyber security threat awareness and protective measures, amongst other reasons.

Already at heightened risk of cyber attacks due to Russia’s invasion of Ukraine, Moldova faces exacerbating circumstances in the immediate term with the occurrence of significant events, including elections in the fall. 

Building on IWPR’s previous activities involving this subject matter, IWPR is seeking a local expert consultant in Moldova to support strengthening data, information, and communications protection practices among up to 8 CSOs. The activity’s objective is to strengthen the CSOs’ data and communications protection practices to protect sensitive information from internal and external unauthorized access and usage. (Note: Most of our potential trainees have already had basic cybersecruity instruction. We are not looking for a basic cybersecurity training course. Instead, we are looking for data protection topics. See below under Suggested Data Protection Training Topics for potential topics that should be addressed in the training). 

All trainers and mentors must speak Romanian and working knowledge of Russian. The services are scheduled to be delivered over four-months, running from 22 July 2024 to 15 November 2024. 

2. Scope of Work 

The Consultant will support implementation of data, information, and communications protection strategy, policies, and procedures based on best practices among participating CSOs, as follows:

1) Provide one hybrid in-person/remote half-day training on data, communications and information security best practices. (Up to 8 CSOs are eligible to participate in the training. Each CSO may send up to 2 participants, for a total number of 16 training beneficiaries). Some CSOs are located outside of the city and will not be able to attend in person, so the training must be offered online with two-way engagement). See below for suggested topics that should be covered during the training;

2) Conduct an audit of the participating CSOs’ data, communications, and information protection practices, identifying weaknesses. (Up to 8 CSOs are eligible to participate in the audit); 

3) Collaborate with the CSO to develop a data, communications and information security strategy, policies and procedures, and corrective action plan, as needed, based on best practices (Up to 8 CSOs are eligible to participate in this activity);

4) Mentor the CSO as it implements the plan. Each CSO may receive up to 4 hours of mentoring during the project period. Up to 8 CSOs are eligible to participate in this activity. Mentoring hours must not exceed a maximum of 48 hours total for all CSOs combined.

Suggested Data Protection Training Topics

1. Understand data technologies and databases 

- Database models (One-tier, two-tier and three-tier models)

- Data storage options (cloud, local)

-- Best practices

-- Recommendations of cloud providers (or what to look for in a cloud provider)

2. Identify and classify sensitive data; implementing access controls

- Public data — Data that does not need special protection and can be shared freely.

- Private data — Data that employees may access but that should be protected from the wider public.

- Confidential data — Information that may be shared with only selected users, such as proprietary information and trade secrets.

- Restricted data — Highly sensitive data, like medical records and financial information that is protected by regulations.

3. Access controls (physical, technical and administrative)

- Administrative controls (supervisory responsibility, employee training, employee termination procedures, e.g. cutting access)

- Technical controls (data storage, permissions, access control lists, security devices and methods (data loss prevention, firewalls, NAC, proxy server)

- Physical controls (locking down computers/work stations, BIOS password control.)

4. Laptop and mobile device security

- Best practices: Encryption, public wifi usage, VPNs, strong passwords, camera vulnerabilities and usage in the office

5. Data encryption (laptops, phones, computers, etc).

- Best practices

- Recommended encryption tools (or what to look for in an encryption tool)

6. Data back up

- Best practices

- Recommended tools (or what to look for in a data back-up tool)

7. Harden the organization’s systems 

- Reconfiguring the operating system’s default/baseline settings. 

- Web servers (Best practices controls (updates, permissions)

- Email and email servers (best practices configurations/settings)

8. Timely implementation of updates/ patch management 

9. Protecting data from insider threats

- Authorized users misusing right and privileges

- Unauthorized users gaining access from inside the office, e.g., unprotected wireless network.

- Remote access vulnerabilities

10. Endpoint security tools (options, best practices, recommendations)

            --- Antivirus software 

--- Antispyware

---  Pop-up blockers 

--- Firewalls 

11. Securing/locking and recycling of equipment

Secure workspace area, disposing of trash, destruction of sensitive data, ID cards, access to keys, lock codes, discarding/recycling computers, phones, etc. 

12. Provide a model/template data usage policy

3. Main Deliverables and Timeline 

4. Budget

Please submit a budget for IWPR’s review. 

• The budget should include all project-specific costs and expenses, including trainer and mentor fees, travel, etc. Consultant fees should be expressed in terms of an hourly or day rate, as applicable.
• The Consultant does notneed to include logistical costs related to providing the in-person training, e.g. venue, catering, teleconferencing set up. IWPR will directly coordinate and fund such logistics.

5. Payment Schedule

The consultant will invoice for services rendered based on the Milestones identified in the table above.

6. Work Relationships

The Consultant shall report to and work directly with the BREN Capacity Building Manager. The Consultant will also work with IWPR’s respective country coordinators in each country.

7. Application and Evaluation Process

The Consultant should submit the following to vonda@iwpr.net by no later than July 16, 2024:

• Proposed work plan, including sample training agenda and topics and training plan and schedule.
• Description of the organization or trainers/mentors and their respective experience and capabilities related to subject matter of this ToR. 
• CVs of all proposed trainers and/or mentors. 
• Itemized budget for all costs and fees based on the chart in item 3 above (detailed costs in British Pound Sterling (GBP £), with applicable Tax/Charges clearly identified, and provided against each of the categories of services described in the chart.)
• Contact name, email address, and telephone number to facilitate communication between IWPR and the Consultant.

 Applications will be evaluated based on the following criteria:

Experience – 30 points: Ability to deliver all the requirements required by IWPR 

Price – 30   points: Value for money

Technical- 40 points: Responsiveness to the ToR specifications and requirements.