TERMS OF REFERENCE (TOR)
Title of Assignment |
Data Protection Consultant |
|
Location |
Moldova |
|
Duration |
From: July 1, 2024 |
To: November 15, 2024 |
Application Deadline |
July 16, 2024 |
1. Background, Objectives and Justification
The Institute for War & Peace Reporting (IWPR) is an independent not-for profit organisation that works with media and civil society to promote positive change in conflict zones, closed societies, and countries in transition around the world. As part of its program activities, IWPR, in partnership with the Global Network of Women Peacebuilders (GNWP), is implementing its initiative Building Resilience in the Eastern Neighbourhood (BREN), which is supported by the UK Government’s Integrated Security Fund (ISF).
IWPR’s BREN program seeks to strengthen the resilience of non-state actors, including marginalised communities, and enhance their ability to deliver transformative, inclusive, and sustainable contributions to peace, stability and security in Armenia, Azerbaijan, Georgia, and Moldova.
Civil society organisations (CSOs) in Armenia, Georgia, Moldova and Azerbaijan face a range of challenges and threats to their work. Various research carried out with the support of ISF (including BREN’s own research) indicates CSOs in the region are especially vulnerable to cyber-attacks, including data breaches and theft, due to lack of cyber security threat awareness and protective measures, amongst other reasons.
Already at heightened risk of cyber attacks due to Russia’s invasion of Ukraine, Moldova faces exacerbating circumstances in the immediate term with the occurrence of significant events, including elections in the fall.
Building on IWPR’s previous activities involving this subject matter, IWPR is seeking a local expert consultant in Moldova to support strengthening data, information, and communications protection practices among up to 8 CSOs. The activity’s objective is to strengthen the CSOs’ data and communications protection practices to protect sensitive information from internal and external unauthorized access and usage. (Note: Most of our potential trainees have already had basic cybersecruity instruction. We are not looking for a basic cybersecurity training course. Instead, we are looking for data protection topics. See below under Suggested Data Protection Training Topics for potential topics that should be addressed in the training).
All trainers and mentors must speak Romanian and working knowledge of Russian. The services are scheduled to be delivered over four-months, running from 22 July 2024 to 15 November 2024.
2. Scope of Work
The Consultant will support implementation of data, information, and communications protection strategy, policies, and procedures based on best practices among participating CSOs, as follows:
1) Provide one hybrid in-person/remote half-day training on data, communications and information security best practices. (Up to 8 CSOs are eligible to participate in the training. Each CSO may send up to 2 participants, for a total number of 16 training beneficiaries). Some CSOs are located outside of the city and will not be able to attend in person, so the training must be offered online with two-way engagement). See below for suggested topics that should be covered during the training;
2) Conduct an audit of the participating CSOs’ data, communications, and information protection practices, identifying weaknesses. (Up to 8 CSOs are eligible to participate in the audit);
3) Collaborate with the CSO to develop a data, communications and information security strategy, policies and procedures, and corrective action plan, as needed, based on best practices (Up to 8 CSOs are eligible to participate in this activity);
4) Mentor the CSO as it implements the plan. Each CSO may receive up to 4 hours of mentoring during the project period. Up to 8 CSOs are eligible to participate in this activity. Mentoring hours must not exceed a maximum of 48 hours total for all CSOs combined.
Suggested Data Protection Training Topics
1. Understand data technologies and databases
- Database models (One-tier, two-tier and three-tier models)
- Data storage options (cloud, local)
-- Best practices
-- Recommendations of cloud providers (or what to look for in a cloud provider)
2. Identify and classify sensitive data; implementing access controls
- Public data — Data that does not need special protection and can be shared freely.
- Private data — Data that employees may access but that should be protected from the wider public.
- Confidential data — Information that may be shared with only selected users, such as proprietary information and trade secrets.
- Restricted data — Highly sensitive data, like medical records and financial information that is protected by regulations.
3. Access controls (physical, technical and administrative)
- Administrative controls (supervisory responsibility, employee training, employee termination procedures, e.g. cutting access)
- Technical controls (data storage, permissions, access control lists, security devices and methods (data loss prevention, firewalls, NAC, proxy server)
- Physical controls (locking down computers/work stations, BIOS password control.)
4. Laptop and mobile device security
- Best practices: Encryption, public wifi usage, VPNs, strong passwords, camera vulnerabilities and usage in the office
5. Data encryption (laptops, phones, computers, etc).
- Best practices
- Recommended encryption tools (or what to look for in an encryption tool)
6. Data back up
- Best practices
- Recommended tools (or what to look for in a data back-up tool)
7. Harden the organization’s systems
- Reconfiguring the operating system’s default/baseline settings.
- Web servers (Best practices controls (updates, permissions)
- Email and email servers (best practices configurations/settings)
8. Timely implementation of updates/ patch management
9. Protecting data from insider threats
- Authorized users misusing right and privileges
- Unauthorized users gaining access from inside the office, e.g., unprotected wireless network.
- Remote access vulnerabilities
10. Endpoint security tools (options, best practices, recommendations)
--- Antivirus software
--- Antispyware
--- Pop-up blockers
--- Firewalls
11. Securing/locking and recycling of equipment
Secure workspace area, disposing of trash, destruction of sensitive data, ID cards, access to keys, lock codes, discarding/recycling computers, phones, etc.
12. Provide a model/template data usage policy
3. Main Deliverables and Timeline
Deliverables |
Timeline |
Payment upon deliverables approval |
1) In consultation with IWPR, finalize the detailed workplan and develop the monitoring, evaluation and learning (MEL) framework for the project. |
1 week: July 2024 |
At Milestone 1 below |
2) Conduct 1 half-day hybrid (in-person with remote option) training on data, communications and information protection. (Up to 16 CSO representatives attending). |
½ day: July 2024 |
Milestone 1: After the training is conducted and submission of the required invoice. |
3) Conduct data, communications and information security audit of each participating CSO (up to 8 CSOs). |
July-August 2024 |
At Milestone 2 below. |
4) Develop data, communications and information protection strategy and corrective action plan, as needed, with each participating CSO based on best practices |
September-October 2024 |
Milestone 2: After the plans are delivered to the CSOs and submission of the required invoice. |
5) Mentor each participating CSO with implementation of the strategy and corrective action plan (up to 4 hours of mentoring per CSO). Mentoring hours must not exceed a maximum of 32 hours total for all CSOs combined. |
September-October 2024. |
At Final Payment below. |
6) Prepare MEL report and submit to IWPR. |
Due November 15, 2024 |
Final Payment: After delivery of the MEL report and submission of the required invoice. |
4. Budget
Please submit a budget for IWPR’s review.
5. Payment Schedule
The consultant will invoice for services rendered based on the Milestones identified in the table above.
6. Work Relationships
The Consultant shall report to and work directly with the BREN Capacity Building Manager. The Consultant will also work with IWPR’s respective country coordinators in each country.
7. Application and Evaluation Process
The Consultant should submit the following to vonda@iwpr.net by no later than July 16, 2024:
Applications will be evaluated based on the following criteria:
Experience – 30 points: Ability to deliver all the requirements required by IWPR
Price – 30 points: Value for money
Technical- 40 points: Responsiveness to the ToR specifications and requirements.
Evaluation criteria |
Evaluation sub-criteria |
Points |
Max points |
Experience (30 points) |
|||
Organisational and/or individual experience |
Experience in the subject matter of the ToR; prior work with CSOs; personnel and/or organisational resources are adequate and appropriate to implement the ToRs activities |
30 |
|
Price (30 points) |
|||
Budget reasonableness |
Completeness of budget; all budget items are necessary and appropriate; price reasonableness; value for money? |
30 |
|
Technical (40 points) |
|||
Proposal/Work Plan |
Does the proposal clearly explain, understand and respond to the requirements as stated in the Terms of Reference? |
40 |