SMO Appendix 1: Terms of Reference (22 March 2018)

Transcription

1 SMO Appendix 1: Terms of Reference (22 March 2018) ABOUT SCA The Swedish Committee for Afghanistan (SCA) is an aid organisation that has worked in Afghanistan since We carry out development projects in the area of education, healthcare, rural development and rehabilitation of persons with disabilities. SCA has about 5,500 employees, 99 per cent of whom are Afghans. Our operations are especially directed to the most vulnerable groups in the society and is always carried out in close cooperation with the local society. We mainly work in the poor rural areas of Afghanistan with special focus on women, children and persons with disabilities. The work with human rights and gender issues is central to SCA and permeates the entire organization. In Sweden SCA has about 12,000 members and monthly sponsors as well as an office in Stockholm with about 20 employees. SCA is a political and religiously independent aid organisation that is funded by thousands of individuals, SIDA, EC and the World Bank. The member based organization was established in BACKGROUND FOR THE SERVICE SCA is in need of an independent external auditor to evaluate its data centres, network infrastructure, and related logical and physical resources in Afghanistan. The goal is to evaluate how the current SCA ICT (Information and Communication Technology) infrastructure currently safeguard assets, maintains data system integrity and assists the organization in achieving overall goals and objectives. It is also important to know if SCA resources are used effectively and efficiently in regard to ICT. The current SCA ICT infrastructure in Afghanistan has different functions and services provided by 14 different servers to KMO and the five RMOs. There are potential risks associated with these data centres and systems which can impact the services provided in several ways. Page 1 of 6

2 SCA ORGANISATIONAL STRUCTURE SCA s organisational structure has two main branches based in Afghanistan and Sweden, respectively (see detailed organogram below). The Stockholm Management Office (SMO) is focused on coordinating and supporting strategic activities such as communications, advocacy, strategic financial management, managing donor grants and coordination with the SCA membership association. The ICT services for the chief executive officer of SCA, the Secretary General (SG) and the associated Secretary General s Secretariat (SGS), is also managed by SMO. The Kabul Management Office (KMO) is responsible for coordination, strategy and administrative as well as technical support of SCA s aid and development projects. Five Regional Management Offices (RMO) are responsible for the operationalisation of the aid projects in 14 different provinces in Afghanistan. As of December 2016, SMO had 21 employees while KMO and the five RMOs had 1,261 employees. A further 3,966 field staff were employed directly in the various aid projects. Out of a total of 5,262 staff, about 350 have work accounts (through Office 365 Outlook). At KMO, the Information and Communications Technology Unit (ICTU) is responsible for managing ICT systems and communication network systems for KMO and the RMOs. This includes support in procuring hardware and software, technical support to end users, security, developing policies and guidelines, etc. ICTU works in coordination with the Finance and Administration Unit (FIA) at SMO for cross-organizational ICT development and development of ICT policies. Page 2 of 6

3 SCA organogram Page 3 of 6

4 CURRENT SCA ICT INFRASTRUCTURE In Afghanistan, SCA has around 1000 physical devices at KMO and the five RMOs. These include printers, photocopiers, radio communication equipment (Codan, VHF), network hardware such as routers and switches, Active Directory Domain Controller (ADDC) and servers for hosting file sharing, user data backup, as well as server hosting for SCA s enterprise resource planning system (ERP) Epicor iscala and the HR system Visma Personec. The current total number of registered computers at SCA is 647 with the following distribution: KMO has 187 computers, plus 14 servers connected to the network with an internet bandwidth of 20/20 Mbps. This bandwidth is providing internet access to approximately 190 network nodes and connection to cloud services as well as RMO networks. Mazar-e-Sharif RMO has 85 computers connected to the network with the capacity of 6/6 Mbps. As part of this RMO is also a separate Kunduz Local Office that has 24 computers connected to the network with an internet bandwidth of 2/2 Mbps Wardak RMO has 76 computers connected to the network with an internet bandwidth of 3/3 Mbps. Jalalabad RMO has 79 computers connected to the network with an internet bandwidth of 5/5 Mbps. As part of this RMO organisationally is also the Mehtarlam Liasion Office (MLO) that has 41 computers connected to the network with an internet bandwidth of 2/2 Mbps. Taloqan RMO has 78 computers connected to the network with an internet bandwidth of 3/3 Mbps Ghazni RMO has 47 computers connected to the network with an internet bandwidth of 2/2 Mbps. In Stockholm, SMO has 30 computers connected to a network with an internet bandwidth of 100/100 Mbps. Internal ICT services KMO has a corporate network connected with the five RMOs. There are 14 servers available at KMO providing various services such as file storage and printing, Active Directory (AD), Additional Activate Directory, DHCP, WDS, WINS, Symantec backup exe server for user data and critical system server states, firewalls that filter all incoming and outgoing data traffic and provide KMO with connectivity to the RMOs. Each RMO has its own Kaspersky endpoint security central server configured with different polices that protect individual workstations. They also house read-only domain controllers (RODC) that allow the RMOs to locally authenticate their domain accounts. External ICT services SCA uses as its main communication tool across the organization through a Microsoft Office 365 solution with an Azure AD for the administration in Afghanistan. For the administration in Sweden, the local AD and file servers are managed by Office Management, an external supplier based in Sweden. SMO uses Office 365 accounts with direct cloud access. The SMO file servers are not integrated or synchronised with file servers in the SCA Afghanistan offices. KMO s local AD is synchronized with the Azure AD through a virtual private network (VPN). As of July 2017, SCA had 461 E2-licensed Office 365 accounts and 32 E3-licensed accounts. With a handful of exceptions, the E2 licenses are used only by staff in Afghanistan while the E3 licenses are used by staff in Sweden. Page 4 of 6

5 General layout of SCA ICT infrastructure SCOPE OF THE SERVICE The Service should be an audit of SCA s ICT infrastructure verifies SCA s capacity to provide a secure and functional network infrastructure, communication, conference call through Skype for Business, data security, and other services shared and accessed over the network with other associated hardware equipment, including network outlets, routers, switches, etc. The Service is expected to include a physically verify the ICT infrastructure and to perform a penetration test on all data centres. The provider of the Service is expected to adopt a risk based approach to make the audit plan. The auditors should use the following internationally adopted frameworks and standards for the Service: The framework and standard introduced by IASACA (Information System Audit and Control Associate) ITIL (Information Technology Infrastructure Library) COBIT (Control Objectives for Information and related Technology) While the goal is that SCA operations in both Sweden and Afghanistan should be on a roughly equal level of capacity, the focus for this Service is on the Afghanistan operations since the vast majority of the workforce is located there, and because the overall ICT infrastructure of the country is not as developed as in Sweden. Page 5 of 6

6 Specific deliverables The Bidder should possess wide knowledge on and experience in ICT auditing and should perform the following: 1. An on-site audit at SCA s office in Kabul (Kabul Management Office, KMO). 2. Present an audit report containing conclusions relating to the areas mentioned below. The final report should include recommendations for improvements in any areas where risks are identified. 3. A preliminary draft for the final report should be submitted to SCA to allow for adjustments and corrections. After one round of comments from SCA have been addressed, a final version will be submitted to SCA for approval. The following areas should be specifically targeted for review in the final report: The internal and external connections to SCA ICT infrastructure. Integrity of SCA accounts and risks for unauthorized access (from internal or external parties) to accounts. SCA s capabilities for business continuity in terms of backup capabilities, disaster recovery and business continuity plans Usage of ICT resources in proper manner. Ensure that the ICT infrastructure is configured correctly in accordance with hardware and software specification, and identify any further opportunities to improve productivity and security. Analyze the network design and architecture. Identify any opportunities to improve performance and support response times of SCA s internal technical support. SCA s ICT policies and steering documents in regard to maintaining security and the integrity of SCA s business data. Overall ICT budget and assets management in relation to the size, scope and complexity of SCA s organisation and the needs to provide adequate supporting services to its operations. Management of ICT-related supplier contracts and their related service level agreements (SLA). The organisational structure, policies and procedures, technical standards and documentation of SCA ICT support. SCA management of software licenses. Control of access to and documentation of SCA-run data centres, databases and hosted ICT systems such as Visma Personec and Epicor iscala. If any obvious risks are identified during fulfilment of the Service in areas other than those mentioned above, SCA encourages the auditors to mention these in the final report. Page 6 of 6