The Egmont Group Secretariat (EGS) is seeking to receive proposals from potential vendors to conduct an external (independent) security audit (ESA) of its new IT system. The successful candidate will be selected based on their experience and the appropriateness of their proposals in meeting the needs of the Egmont Group (EG).
The successful vendor will be required to conduct an ESA based on the requirements provided by the EGS.
The new EG IT system is configured on Microsoft 365 public cloud, following the zero-trust paradigm. The system mainly focuses on using SharePoint, Teams, Forms, OneDrive (as collaboration tools), and secure email using Exchange Online for operational exchange with the highest security requirements.
The ESA is required to assess if the new EG IT system, as configured per the detailed (low-level) Solutions Design Document (SDD) and Egmont’s Business Requirements Document (BRD), follows the requirements of these documents. IT security proposals provided by member Financial Intelligence Units (FIUs) and agreed upon across the organization shall also be considered.
The ESA must have a manual component (i.e., external penetration testing, which must follow the Microsoft Cloud Penetration Testing Rules of Engagement as described here). In addition, the ESA must include an assessment of the technical configuration of the system, as well as an automated process. The ESA must also include an assessment of malicious attacks such as malware, viruses, and phishing.
One of the most important Egmont Group requirements is that no one but FIUs can access it – not even the system’s administrators, or any other third party. In that regard, the audit trails, identity, and access management must be of primary focus for the ESA, as well as the key generation and key management and end-to-end message encryption.
The ESA must focus on the following main components:
- Configuration – Includes the operational framework’s cybersecurity policies, security practices, misuse monitoring, and controls.
- External Access – analyzes network availability, the three possible methods for accessing the system (web access, PC, and mobile devices with Intune) must be included, as well as the identity, authentication mechanisms, and infrastructure security.
- Unauthorized access to Data – Encompasses the security measures and tools involved in protecting the confidentiality, integrity, and authenticity of data within the Egmont Group network (potentially while using trial accounts).
- Hardware Security Module (HSM) – Refers to the level of security & hardening implemented in the HSM.
- Compliance– NIST Gap Analysis and other international standards applicable.
- Deliverables – Documented findings of audit and recommendations applicable with a suggested Plan of Action (POA) that defines actions needed to strengthen the new EG IT system.
The ESA must also assess the IT security and information exchange policies regulating the system.
MAIN COMPONENTS OF THE NEW EGMONT GROUP IT SYSTEM
The new EG IT system was configured following the assumptions below:
- The EG IT system was implemented using the Greenfield Approach on MS 365 Public Cloud infrastructure to enable secure email and collaboration and application of the Zero Trust paradigm.
- A new MS tenant was rolled out from scratch and configured to meet the EG requirements for secure email and collaboration (Greenfield Approach).
- The solution design supports different security levels based on Egmont Group’s needs.
- The solution must be suitable for FIUs that already utilize MS cloud environments and those that do not.
- The solution should not put a significant burden to implement and actively use the solution, following all security standards set in the BRD and SDD, and allowing equal treatment of all Egmont Group members.
- No integration with any other services must be required (on-premises, the previous cloud-hosted service, and/or any third-party or customized applications).
- No integrations with different FIUs’ systems must be required.
- No emails must be migrated from the previous system to the new secure email infrastructure.
- Relevant security standards will be applied.
- The tenant will be secured using Bring Your Own Key (BYOK) as an EG tenant-level key. An on-premises HSM is foreseen to have full control over the key generation and transfer to Azure Key Vault in Microsoft cloud.
- Device management will be realized using Intune Bring Your Own Device (BYOD). Alternatively, browser-based access will be available for users whose internal security policies do not allow third-party application installation.
- Secure email and collaboration platforms have been configured using available MS applications.
The successful vendor must sign a non-disclosure agreement provided by the EGS.
The project in its entirety, including the presentation of the final report, needs to be completed within two (2) months of the project kick-off. If more time is needed, the candidate should specifically mention it in their Proposal.
The project must include two (2) rounds of review on the draft report.
The maximum budget for this project is $100,000 USD.
Interested vendors are asked to provide a breakdown of their fees.
PROPOSALS MUST CONTAIN:
- Scope of work
- Project work plan with the specific number of days of effort for each deliverable
- Fee (please note currency), including expected time to complete
- Proposed payment schedule
- Curriculum Vitae, which must describe the following:
- Qualifications and at least five (5) years of experience
- Certifications and designations, for example, Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Cloud Security Professional (CCSP), Systems Security Certified Practitioner (SSCP), Certified Encryption Specialist (EC-Council ECES), Certified Expert Penetration Tester (CEPT), ISO/IEC 27001, etc.
- Documentation demonstrating having proper security clearance for the vendor and staff who would be involved in the ESA.
- Note: people performing the ESA must be hired staff. No third-party professionals will be accepted.
- Biography of each person performing the ESA
- Description of similar projects completed for government and/or security-sensitive companies, including recommendation letters with their contact information.
- Support that will be expected from the EG
Proposals will be evaluated against the following criteria:
- The vendor must successfully pass the security screening. Additional information may be required to complete the background check.
- Lowest responsive offer
- Proposed payment schedule
- Adherence to specifications and requirements
- Delivery commitments are exclusive and inclusive of the lowest price
- Qualifications and experience of the vendor and person performing the audit
- Vendor’s compliance with instructions for submitting required documentation
All submissions must be sent to RFP@secure.egmontsecretariat.org no later than February 6th, 2023, with the following subject line: EG IT Renewal – External Security Audit.
All proposals must be in ENGLISH.
Only the selected candidate will be approached for further contract-related negotiations and provided with the full framework.