|
DSIK Tanzania |
?UNASUBIRI NINI? FOLLOW US ON INSTAGRAM. CLICK HERE!?
German Sparkassenstiftung for International Cooperation (DSIK) Tanzania Jobs, 2024
TERMS OF REFERENCE
Provision of System Audit, Vulnerability Assessment, and Penetration Testing Services.
1.0 INTRODUCTION
German
Sparkassenstiftung Eastern Africa (DSIK) is an international NGO
headquartered in Bonn, Germany, dedicated to combating poverty through
sustainable financial inclusion. At the heart of its mission lies a
commitment to partnering with local organizations to execute project
activities collaboratively.
In Tanzania, DSIK is providing
advisory services to the Savings and Credit Cooperative Union League of
Tanzania (SCCULT). Project activities in Eastern Africa are not limited
to Tanzania, but also include Burundi, Kenya, Rwanda, and Uganda. In
Tanzania, DSIK is a registered International Non-Governmental
Organization under The Non-Governmental Organization Act, 2002 made
under Section 11 (1) and 17 (2) of Act No. 24 in 2002 with Registration
No. I-NGO/R1/005.
Within this initiative, DSIK is set to
collaborate closely with SCCULT, the umbrella organization for SACCOS in
Tanzania mainland. Established in 1992 under the Cooperative Act 15,
SCCULT is dedicated to empowering and advancing Savings and Credit
Cooperative Organizations (SACCOS) through advocacy, financial
assistance, and technical support. SCCULT (1992) Ltd is licensed under
the Microfinance Act of 2018, holding license number
MSP3-TCDC/2021/00374 issued in 2021.
2.0 PROJECT BACKGROUND
In 2022, the Savings and Credit
Cooperative Union League of Tanzania (SCCULT) set out to design,
develop, and implement a Shared Core SACCOS System (CSS). This
initiative was in response to the low adoption rate of information and
communication technologies (ICT) within the SACCOS sector. According to
the 2022 SACCOS annual report1, only 10.13% of SACCOS were utilizing ICT
systems. The slow adoption was primarily attributed to the lack of
reliable system vendors and the high costs associated with available
systems, making them unaffordable to SACCOS.
Within this
initiative, SCCULT aimed to introduce a Core SACCOS System (CSS) that
would serve as a shared service for all SACCOS. As the umbrella
organization for SACCOS, SCCULT was acutely aware of the digitalization
issues faced in the cooperative sector. The CSS was envisioned as a
solution to these challenges, facilitating a collaborative resource pool
accessible to all SCCULT members. This approach was therefore intended
to minimize resource expenditure by lowering fees, ensuring seamless
execution of essential tasks, and promoting optimal compliance,
efficiency, and cost-effectiveness within the sector
Through a collaborative partnership involving SCCULT as the business owner, UBX as the system
developers,
Umoja Switch as a digital payment service provider, and DSIK as project
advisors, the successful development and initial deployment of the
Shared Core SACCOS System have been achieved.
Currently, the project is progressing with the onboarding of SACCOS.
3. 0 OBJECTIVES
The
objective of this assignment is to identify and evaluate potential
security vulnerabilities, assess the system’s performance, and ensure
compliance with industry regulations and best practices through a
thorough System Audit, Vulnerability Assessment, and Penetration Testing
for the Shared Core SACCOS System.
The purpose of this
engagement is to guarantee the reliability, integrity, security and
regulatory compliance of the developed Core SACCOS System.
4.0 SCOPE OF WORK
This
assignment entails conducting a comprehensive system audit,
vulnerability assessment, and penetration testing for the developed
Shared Core SACCOS System.
The scope of this assignment will
encompass the areas below and is expected to deliver the required
outputs within fifteen (15) working days:
4.1 System Audit
The
system audit shall review the system’s processes, controls, and
compliance with relevant standards and regulations to ensure operational
integrity and efficiency. This shall include:
(i) Access Controls:
Review the access control mechanisms to ensure they effectively protect
sensitive information against unauthorized access, data breaches, and
other security threats.
(ii) Internal Controls and Security
Procedures: Evaluate overall security architecture, controls, and
procedures, including network security, application security, data
security, endpoint security, audit trails, system monitoring, and
maintenance, as well as controls over program and system changes to
ensure they are effective in mitigating risks and ensuring proper system
operation.
(iii) Evaluating System Performance: Ensuring the system
operates efficiently and meets performance requirements, including
speed, reliability, resource usage, and ability to handle expected
workloads.
(iv) Verifying Compliance: Checking adherence to relevant
laws, regulations, and internal policies to ensure legal and regulatory
compliance, such as Data Protection laws, Financial Regulations, and
Industry Standards.
(v) Identifying Risks: Detecting potential risks
and vulnerabilities in the system and assessing their impact on business
operations.
(vi) Data Integrity: Ensuring the accuracy, consistency,
and reliability of data within the system by evaluating data protection
measures such as encryption, data masking, and anonymization and
ensuring compliance with data privacy regulations.
(vii) BCM and
Disaster Recovery: Evaluate the incident response plan, including
detection, response, and system’s ability to recover from unexpected
shutdowns and its capability to recover from disasters resulting in data
loss.
(viii) Accurate Financial Reporting: Verifying that financial
data and transactions are accurately recorded and reported in compliance
with financial regulations and accounting standards.
(ix)
Recommending Improvements: Providing suggestions for enhancing system
performance, security, and overall effectiveness based on audit
findings.
(x) Prepare reports in outlined format.
4.2 Vulnerability Assessment
The
vulnerability assessment will identify potential security weaknesses
and risks within the system that could be exploited. The consultant
shall therefore provide vulnerability assessment services including but
not limited to the following:
(i) Conduct a physical security assessment of the CSS facilities and assets.
(ii)
Conduct external and internal vulnerability scans to identify any
security vulnerability that may exist in CSS software, hardware assets,
and integration points.
(iii) Assess current network security measures to identify any vulnerability that may exist within the CSS architecture.
(iv) Conduct OWASP web application security assessment.
(v) Ensure that security issues that pose an imminent threat are reported as they are being identified.
(vi) Assess the potential impact and likelihood of each identified vulnerability, prioritizing them based on their risk level.
(vii) Provide detailed recommendations for mitigating identified vulnerabilities, including technical fixes and policy changes.
(viii) Prepare a report in outlined format.
4.3 Penetration Testing
Finally,
the penetration test will simulate cyber-attacks to test the system’s
defenses and uncover any vulnerabilities that need to be addressed. The
consultant shall therefore provide the following quality penetration
testing services:
(i) Application/website penetration testing services. These shall include:
a) Authentication process testing
b) Development of test datasets and harnesses
c) Testing systems for user session management to see if unauthorized access can be permitted including but not limited to:
– Input validation of login fields
– Cookie security
– Lockout testing
d) User session integrity testing
e) Encryption usage testing (e.g., applications’ use of encryption, sensitive data exposure)
f) Testing of the application functionality including but not limited to:
– Input validation (e.g., bad, or over-long characters, URLs)
– Transaction testing (e.g., ensuring desired application performance)
g) Injection
(ii) Network penetration testing services. These shall include but are not limited to:
a) Identify targets and map attack vectors (i.e., threat modelling)
b) Spoofing
c) Brute force attacks
d) Network sniffing
e) Trojan attacks
f) Denial of Service (“DDoS”) testing
(iii) Social engineering testing services
(iv) Other penetration testing services
(v) Prepare a report in outlined format.
Note:
The consultant shall provide system testing services following
appropriate industry-wide, highly recognized methodologies and standards
such as:
– National Institute of Standards and Technology (“NIST”) SP 800-42
– Open-Source Security Testing Methodology Manual (“OSSTMM”)
– Penetration Testing Execution Standard (“PTES”)
– Open Web Application Security Project (“OWASP”)
The
consultant must ensure proper cleanup after completing system testing,
making sure that the CSS environment is not impacted. Cleanup activities
shall include, but are not limited to, the following:
(i) Update and/or removal of test accounts added or modified during testing
(ii) Update and/or removal of database entries added or modified during testing
(iii) Restoring security controls that have been altered for testing
(iv) Uninstalling any test tools as applicable
(v) Provide guidance/necessary information on how to verify that the system environment has been
restored
(vi) Provide confirmation that the system environment has been cleaned and restored
5.0 KEY DELIVERABLES
The expected deliverables in this assignment are:
a)
Three Full Reports – System Audit Report, Vulnerability Assessment
Report and Penetration Testing Report. The full reports shall each
include all assessment raw data, summary data and recommendations.
b) Executive Report of each of the full reports. The executive report shall include summary data and
recommendations.
c)
Retesting Report – includes all identified/exploitable vulnerabilities
that require immediate remediation, this to be provided after
remediation and retesting.
5.1 Reporting Guidelines
5.1.1 Full Report Outline
Each of the full reports shall contain at a minimum:
(i) Executive Summary. A brief high-level summary of the assessment/scope and major findings
(ii)
Statement of Scope. A detailed definition of the scope of the system
and network tested / assessed. This section should outline the
boundaries of the assessment, including which components of the system
and network were included in the testing. Additionally, identify the
critical processes and explain the rationale for including them as
targets in the test.
(iii) Statement of Methodology. Details on the
methodologies used to complete the testing. The methodologies and
standards used should be explicitly stated as well.
(iv) Statement of
Limitations. Document any restrictions imposed on testing, including
designated testing hours, bandwidth limitations, special testing
requirements, and any other relevant constraints.
(v) Testing
Narrative. Provide details as to the testing methodology and how testing
progressed, document any issues encountered during testing.
(vi) Segmentation Test Results – summarize the testing performed to validate segmentation controls
(vii) Findings
– Tools Used
– Whether/how the findings may be exploited
Risk ranking/severity of each vulnerability
– Targets affected
– Description of finding
– References (if available)
5.1.2 Executive Report Outline
The executive report shall contain at minimum:
(i) Executive Summary. A brief high-level summary of the assessment/test scope and major findings
(ii)
Statement of Scope. A definition of the scope of the systems and
network tested. An identification of critical system components and
processes as well as an explanation of why they are included in the test
as targets
(iii) Findings
– Whether/how the findings may be exploited
– Risk ranking/severity of each vulnerability
– Targets affected
– Description of findings
5.1.3 Retesting Report Outline
If any findings require remediation and retesting, a follow-up test report may be provided. All remediation
efforts should be completed and retested within a reasonable time after the original test/assessment
report is issued. The follow-up report should address all identified and exploitable vulnerabilities that
require immediate remediation.
When retesting is necessary, the report shall contain at least:
(i) Executive Summary
(ii) Date of Original Test
(iii) Date of Retest
(iv) Original Findings
(v) Results of Retest
Read Also:
-
NEW TANZANIAN JOBS, INTERNSHIPS AND VOLUNTEERING OPPORTUNITIES 2024 (1,475 POSTS)
- CHECK SCHOLARSHIPS OPPORTUNITIES TO STUDY ABROAD CLICK HERE!
- Download Your National ID (NIDA) Number Here | Download NAMBA NA KITAMBULISHO CHAKO CHA NIDA. BONYEZA HAPA!
- PAST PAPERS ZA DARASA LA 7 MPAKA FORM SIX | NECTA AND MOCK EXAMS 1988 – 2019. CLICK HERE!
- Free
CV Writing and Download, Cover/Job Application Letters, Interview
Questions and It’s Best Answers plus Examples. Click Here!
6. QUALIFICATION AND EXPERIENCE OF THE CONSULTANT(S)
The applicant should have relevant qualifications and working experience, particularly:
(i)
At least a Bachelor’s Degree in Cybersecurity, Information and
Communication Technologies (ICT), Information Technology (IT), Digital
Finance, or a related field.
(ii) Specialized cybersecurity
certifications such as Computer Hacking Forensics Investigator (CHFI),
Certified Information Security Manager (CISM), Certified Information
Systems Auditor (CISA), Certified Ethical Hacker (CEH), Pen Test or
related field.
(iii) At least 7 years of working experience in Cybersecurity and at least 10 years of experience in ICT or Digital Finance.
(iv)
A comprehensive knowledge on financial and cybersecurity regulations,
policy updates, and circulars applicable to the financial sector in
Tanzania.
(v) Must be a professional registered with the Tanzania Communications Regulatory Authority
(TCRA) to provide system audit and vulnerability assessment services.
(vi) Proven working experience in conducting system audits, vulnerability assessments and penetration testing.
(vii) Experience in communicating effectively with a diverse team of partners.
(viii)
Certified in Risk and Information Systems Control (CRISC), and
Certified Information Systems Security Professional (CISSP), will be an
added advantage.
(ix) Proficient in producing concise reports.
An eligible consultant may either be an individual or a firm.
7. MODE OF APPLICATION/BIDDING REQUIREMENTS:
Interested consultants should submit both Technical and Financial Proposals for this assignment. A
technical proposal detailing their approach to the assignment, methodology, and work plan. Financial
Proposals should provide, among other things, a breakdown of costs, and the bidders should be VAT
registered (if it is a firm) and must be able to provide Electronic Fiscal Device Receipts (EFDs). The
proposals
should be accompanied by the Company Profile (for firms), CVs of the
responsible team, Address (PO Box), Phone Number, Email Address,
Physical Address, and list of both the previous and current Corporate
Customers.
The proposals should be submitted to the following e-mail by 5th September 2024 at 17:00 (EAT):
Office.Tanzania@dsik.org
Please be informed that candidates who will not hear responses by 12th September 2024 should consider
themselves unsuccessful.
For any enquiry you may contact: Ms. Kalunde Kapaliswa via Tel: +255 766 0202 84 or E-Mail:
Kalunde.Kapaliswa@dsik.org
NOTE:
DOWNLOAD ADVERT IN PDF FILE HERE!