USAID GAP-RISC project is looking for a Digital Security Expert and Data Privacy
SCOPE OF WORK
Strengthening Digital Security and Data Privacy for the Global Accountability Program (GAP)
Resilient Institutions Against Strategic Corruption (RISC) Activity
Millennium Partners seeks a sub-contractor to serve as a digital security expert as part of an Activity under USAID’s Global Accountability Program. The contract is subject to available funding.
Background
In September 2023, USAID awarded the $28.9 million, five-year Global Accountability Program (GAP), managed by the Anti-Corruption Center in USAID's Bureau for Democracy, Human Rights, and Governance (USAID/DRG), to Millennium Partners. Working with USAID Missions worldwide, Millennium Partners and its team of sub-contractors and resource partners will deliver global, multi-country, and country-level Activities. The Resilient Institutions Against Strategic Corruption (RISC) Activity is a regional Activity under GAP that will enhance the capacity of key states in Europe and Eurasia to respond to external efforts to use strategic corruption to interfere with domestic political processes.
Due to the nature of the RISC Activity, which will entail access to, operating with, exchange, and storing of sensitive information and communications by Millennium Partners staff and sub-contractors, there is a need to develop, implement, and monitor protocols for protecting safety, privacy and confidentiality of communications and data related to RISC’s implementation, applicable for the duration of the Activity for all parties involved in its implementation.
Location
Ideally, the sub-contractor will be based in one of the countries of focus (Armenia, Moldova) or the Eurasia region, but remote work is also possible.
Reporting
The sub-contractor will coordinate with the Millennium Partners IT Manager on all work. The sub-contractor will report to the Chief of Party for GAP Activity or her designee.
Tasks/Milestones:
Tasks under the subcontract will be structured to reach the following Milestones:
|
Milestone 1 |
Assess the status quo of data handling and storage protocols, communications practices and security of IT equipment of RISC country offices and GAP Global staff to identify vulnerabilities and develop policies to ensure privacy of IIPs and data and the security of communications for Global GAP and RISC country offices. |
|
Milestone 2 |
Based on the above assessment, develop recommendations and written policies to address vulnerabilities and ensure safe communications, data handling and equipment use for GAP Global and RISC country offices. |
|
Milestone 3 |
Develop and deliver training to GAP Global staff and the RISC team* regarding the above written policies and best practices around digital security and data privacy. Work with identified staff to build their capacity to monitor relevant internal policies and procedures and ensure compliance and digital data hygiene throughout activities implemented under GAP and its RISC subcontractors. |
* GAP Global staff will be identified. RISC team includes all full-time and part-time employees and consultants engaged on a regular basis in RISC country offices. RISC Sub-contractor refers to external individuals and firms contracted for specific work under GAP or RISC.
Milestone 1: Assess the status quo of data privacy protocols, communications practices and IT equipment of RISC country and GAP Global team.
To reach Milestone 1, the sub-contractor will evaluate the status quo of data safety protocols and IT equipment (computers, software, data storage, cell phones, printers, routers) currently used by GAP Global staff and the RISC team.
The sub-contractor will interview and/or survey the GAP Global staff and RISC team to assess the safety of communication practices (emails, use of communication platforms) including knowledge of safe or best practices. This assessment will include current practices and policies communicating with and engaging GAP subcontractors. In addition to creating a general policy for all of GAP, the sub-contractor should consider the working environment for both country offices (Armenia and Moldova) in the risk assessment of data management and communications for RISC and include specific provisions relevant to those environments.
In a written report, the sub-contractor will identify gaps, vulnerabilities (including behavioral), and areas for improvement in the security, confidentiality and safety of data management and communication processes for RISC with focus on vulnerabilities in countries of implementation (Armenia and Moldova). This report will also include recommending organizational, and physical security controls such as encryption, access controls, secure transmission protocols, and regular security assessments. The subcontractor will work with Millennium Partner’s IT manager during the assessment.
Deliverable 1. Assessment report on security of communication devices and IT equipment
The assessment report will include a description of the current situation regarding the security of existing data privacy protocols, communication practices (including behavioral) and IT equipment; will identify gaps and vulnerabilities related to data safety and security of GAP Global and RISC country offices and communication as well as work with GAP sub-contractors; and make recommendations to regarding policies and practices around data and communications security.
Milestone 2: Develop policies to address vulnerabilities and ensure safe communications and data storage for Global GAP and RISC country offices
To reach Milestone 2, the sub-contractor will use the assessment report developed under Milestone 1 to develop written policies, protocols, and/or procedures governing data privacy, communications and use of IT equipment for GAP Global staff, the RISC team and RISC sub-contractors.
The policies will articulate the principles, standards, and procedures governing data collection, use, disclosure, retention, and disposal, as well as compliance with relevant privacy laws and regulations. The policies should also address vulnerabilities around behavior and guidelines to minimize risks from conduct and should include communications and data sharing with GAP Global Staff, the RISC team and RISC subcontractors.
The policies will also establish procedures for responding to privacy incidents, breaches, or unauthorized disclosures of personal information within the RISC. This will include implementing an incident response plan, conducting internal investigations, notifying affected individuals and regulatory authorities as required, and implementing remediation measures to mitigate harm and prevent future incidents.
Deliverable 2. Written data security and communication policies for GAP and RISC
Written polices and guidelines governing data management and privacy (including privacy policy, privacy notice templates, data retention policy, privacy compliance checklist), communications protocols (outlining protocols that also address both technical and behavioral risks) and IT equipment (including ongoing hygiene and maintenance) for the RISC Activity and GAP.
Milestone 3: Support the implementation of a data safety and privacy program within the RISC framework through trainings and mentorship
The sub-contractor will support the development and implementation of a comprehensive privacy program tailored for Global GAP staff, RISC team, and its RISC sub-contractors, to prepare for effective management of privacy and IT risks, personal information protection, compliance with legal and regulatory requirements, and safe communications protocols across GAP’s RISC activities.
The sub-contractor will develop and deliver online training to the GAP Global staff and the RISC team, recorded to allow for future use, regarding the above written policies and best practices around digital security and data privacy on the following illustrative topics: privacy policies and procedures, data protection best practices, safe communication protocols, threats in the online environment and how to protect your data and privacy, legal requirements for data protection and the importance of safeguarding personal information.
The sub-contractor will work with identified staff to build their capacity to monitor relevant internal policies and procedures and ensure compliance and digital data hygiene throughout activities implemented under GAP and its RISC subcontractors.
Deliverable 3. Online trainings for GAP Global Staff and the RISC team regarding Digital Security and Data Privacy Policies
The subcontractor will develop and deliver a series of training sessions (4-6 hours) covering the above topics tailored for GAP Global and RISC staff. The subcontractor will further provide one-on-one sessions with identified staff regarding ongoing monitoring of digital hygiene.
Expected Qualifications
- Proven experience in cybersecurity and policy development (minimum 5 years) assessments
- Strong understanding of digital security tools, techniques, and compliance requirements
- Experience working in and knowledge of digital and relevant legal environment in Eurasia, specifically Armenia or Moldova, strongly preferred
- Excellent communication and training skills.
- Excellent writing skills
- Fluency in English required. Romanian language ability preferred
Expected Timeframe: January 1, 2025 – February 15, 2025
Expected LOE for the consultancy – up to 20 days.
To apply, please upload your CV, letter of interest and proposed budget for this work to: https://experts.millenniumpartners.org/#/apply by January 15th, 2025. However, we encourage interested candidates to apply sooner, as applications will be considered on a rolling basis.
Please select Digital Security Expert from the “Apply for” dropdown.
