Request for Proposal (RFP)
PUR1412/19
Provision of Information Security Risk Assessment,
Benchmarking and Strategy Review for the
European Bank for Reconstruction and Development
Request for Proposal
Provision of Information Risk Assessment, Benchmarking and Strategy Review
1.0 Introduction 1.1 Definitions:
The terms ‘EBRD’ and ‘The Bank’ shall mean the European Bank for Reconstruction and Development.
The term ‘RFP’ shall mean Request for Proposal.
The term “Minimum Requirements” shall mean a set of criteria (Annex A) that Suppliers must meet in order to be Pre-qualified to submit a Proposal.
The term ‘Supplier(s)’ shall mean a party (i.e. Consultant or Consultancy) that submits a proposal in accordance with this RFP.
The term ‘Proposal’ shall mean the Technical Proposal and the Financial Proposal. 1.2 EBRD Profile
The Bank was founded in April 1991, in London, to foster the transition towards open market oriented economies and to promote private and entrepreneurial initiatives in Central and Eastern Europe.
The Bank operates internationally with 54 Resident Offices (RO) in its countries of operations supported by its Headquarters in London. The Bank employs on average 1637 staff in its Headquarters and 663 staff in the RO’s.
The Bank is an international institution. Further information about the Bank’s role and activities can be found on the Bank’s website: www.ebrd.com.
2.0 Description of the RFP Process 2.1 General Description
The Bank requires proposals from Suppliers for the following: Firstly, perform a benchmarking exercise which will:
Assess the primary threats facing the Bank with a particular focus on the potential threats emanating from the adoption of new technologies by the Bank; Expansion of the Bank’s operations into new regions and the cyber security threat/risk this brings;
Analyse the wider International Financial Institution (IFI)/Financial Institution (FI) threat landscape and use this information to benchmark how the Bank’s information security controls compare to those in other international financial institutions (IFIs); To then propose an IS Strategy for the Bank;
Secondly based on the aforementioned threat assessment, scope and/or undertake detailed IS Risk Assessments (ISRAs) using the Bank’s new Operational Risk Tool. This tool is the ‘ARC Logics’ product from Wolters Kluwer Financial Services (WKFS) and will be used to support implementation and monitoring of the Bank’s Information Security Management System (ISMS),
in line with the requirements of ISO/IEC 27001:2013 (the international standard for information security management).
2.2 Sole source of contact for this Tender The sole source of contact for this tender is: Jason Redrup – Procurement Manager Corporate Procurement Unit
One Exchange Square London EC2A 2JN United Kingdom Tel: +44 020 7338 8612 Email: [email protected]
Please note all communication relating to this requirement and the associated
procurement process shall be through the Sole Contact. The Bank reserves the right to disqualify any Suppliers who make direct contact with any member of Bank Staff other than the Sole Contact.
Should a Supplier need to contact a member of Bank staff on an unrelated issue during this procurement process they are should seek the advice of the Sole Contact first.
2.3 Timetable
Item Deadline Date
Publication of Minimum Requirements checklist
(Pre-qualification) and RFP document – EBRD web page
15 December 2014 Submission of Minimum Requirements
(Pre-qualification) checklist
12 January 2015 Notification to pre-qualified Suppliers 15 January 2015 Clarification questions from suppliers 18 January 2015 Issue response to supplier clarification questions 22 January 2015 Receipt of RFP technical responses 13:00 hours UK time
on
25 January 2015
Evaluation of RFP technical responses by 30 January 2015 Notification to pre-qualified Suppliers to submit
financial proposals
30 January 2015 Receipt of financial proposals from shortlisted
suppliers
2 February 2015 Completion of evaluation process / contract award 4 February 2015 Contract negotiations and contract signature by 6 February 2015
Contract commences by 9 February 2015
2.4 Submission of Minimum Requirements Checklist
Suppliers interested in participating in this procurement process must submit by e-mail only to the Sole Contact for this tender (as specified in section 2.2) before the deadline specified in the timetable (in section 2.2). Answers to all questions in Annex A must and provided
including any supporting documentation requested in Annex A. The Pre-qualification of Suppliers will be communicated by e-mail on the date specified in the timetable.
2.4 Submission of Proposals
2.4.1 Submission of a Proposal by a Supplier implies acceptance of the terms described in this RFP. 2.4.2 This document is a RFP sent by the EBRD to a number of Suppliers. This document does not
constitute a contract, nor may it be considered as such. Award shall be subject to the successful Supplier entering into a contract with the EBRD.
2.4.3 If, in the judgment of the EBRD, the information sent by any of the Suppliers does not meet the technical or contractual requirements contained in this document, the EBRD
reserves the right to disqualify this supplier from the process.
2.4.4 The Bank reserves the right to verify any information in the Proposal with the references provided by the Supplier.
2.4.5 Proposals consist of the following:
Annex C (Technical Proposal) – the requirements of this proposal are described in Annex C. Responses must be submitted by email only using a word file format.
2.4.6 The closing date for receipt of the technical proposals is 13.00 hrs on 25th January 2015. Proposals received by the Bank after this time will be rejected.
2.4.7 The Bank reserves the right to decline without further comment any proposal which does not accept the Bank’s Arbitration clause as identified in Section 21 of Annex D – Contract Template.
2.4.8 The Supplier must provide full details of the how they are qualified to perform the Services covered by this RFP, giving sufficient information to demonstrate their understanding of the requirements and their capability to achieve the Services.
2.4.9 The Supplier is to respond to all questions in Annex C and provide evidence to support any claims where appropriate.
2.4.12 Proposals must be submitted to the sole contact person as specified in section 2.2 of this RFP. 2.4.13 All the service specifications are described in Annex B (‘Scope of works’) included with this
RFP.
2.5 Clarifications (Submission of questions from Suppliers)
The process for Receipt and resolution of questions shall be as follows:
• Suppliers will send questions by e-mail to the sole contact for this tender. There will be one round of questions. The deadline for questions is shown in section 2.3. • The EBRD will respond to all questions in writing, sending an e-mail to all Suppliers
on the date shown on the time schedule. Responses shall be sent to all Suppliers invited to participate in the process, with no indication of which Suppliers raised any particular question.
2.6. Proposal Validity
Proposals submitted shall be valid for 90 days following proposal due date. 3.0 Evaluation Methodology
3.1 Evaluation of Proposals
The evaluation of Proposals will be based on:
Element of the Evaluation Maximum Score
Available
Percentage of Total
Technical Proposal (Annex B) 70 70
Financial Proposal 30 30
Maximum Score Available 100 100%
The shortlisting and selection of Suppliers will be based on the following evaluation criteria:
Details Percentage of
Total Technical Proposal (Annex
C)
Cover letter summarising the expert's previous experience, knowledge, skills and qualifications
40 Responses to questions 1 and 2
Sample report
Only those Suppliers who achieve a minimum of 80% (56 points) of the total number of points from the Maximum Score Available will be invited to submit a Financial Proposal.
Depending on the quality of applications, the Suppliers specific strengths and professional
experiences and the Bank's specific operational needs the EBRD reserves the right to award a contract not only to the highest-ranked candidate but to other shortlisted candidates as well.
An award, if made, is subject to the parties agreeing contract terms. The Bank reserves the right to award the two core elements of the work (Threat benchmarking & strategy and Risk Assessment to different suppliers).
In the event that a satisfactory conclusion to the contract negotiations cannot be agreed within one week two of the preferred supplier nomination, the Bank may consider the next highest scoring Supplier to be the preferred supplier and will commence the procedure described above.
3.2. Contract
The documents contained in this RFP, including the information contained in the submitted tender, shall form the basis of any contract that may ensue. The Contract awarded shall be performed in accordance with the Terms and Conditions contained in Annex D of this Request for Proposal.
3.3. Request for Proposal Cost
All Suppliers’ pre-sale costs, including but not limited to, proposal preparation and presentation, system demonstrations, documentation, site visits, in-depth briefing of The Bank negotiation meetings are entirely the responsibility of the Suppliers and shall not be chargeable in any manner to The Bank. The Bank will bear the costs of sending its own staff to Suppliers’ locations or reference sites if necessary.
3.4. Final Negotiations
The Bank reserves the right to subject each proposal to final negotiations.
3.4. The Bank’s Right to Accept Any RFP Responses or Reject any or all RFP Responses The Bank reserves the right to accept or reject any RFP response, or part thereof, and to annul the RFP process and reject all RFP responses at any time prior to award of contract without incurring any liability to the affected parties.
4.0 Confidentiality
4.1 The Suppliers shall treat the RFP as private and confidential.
4.2 No part of this RFP shall be reproduced in whole or in part in any form without The Bank’s prior express written consent.
4.3 All materials submitted to The Bank shall become the property of The Bank and will not be returned. If the Supplier intends to submit confidential or proprietary information as part of the proposal, any limits on the use or distribution of that material should be clearly delineated in writing.
5.0 EBRD Logo Protection
Please be advised that the Bank’s logo is a registered service mark and as such should not be reproduced without the express written permission of the European Bank for Reconstruction and Development.
Annex A
Minimum Requirements Checklist
PUR1412_19 Information Security Risk Assessment, Benchmarking and Strategy Review
SUPPLIER COMPANY NAME: ___________________________________ CONTACT NAME & EMAIL ADDRESS: __________________________________
MINIMUM REQUIREMENTS
Questions Minimum Requirements Answers
(YES/NO)
1
Have you previously undertaken work for other International Financial Institutions and/or Commercial International
Financial institutions? YES / NO
2
Will the consultants performing the risk assessments be ISO27001 certified (Either Lead auditor or Lead
Implementer qualified)? YES / NO
3
Do the consultants performing the risk assessments have knowledge of IRAM risk assessment methodology (or
equivalent)? YES / NO
4
Do you have a minimum of 5 years’ experience in carrying
out the work which is specified in Annex B? YES / NO
Scope of Services 1. Background and Objective of Assignment
Since 2010 to date, the European Bank for Reconstruction and Development (the “EBRD” or the “Bank”) has been enhancing its Information Security (IS) capability through a series of risk mitigation and IS ‘good practice’ activities.
The Bank’s Operational Risk and Information Security (ORIS) department wishes to engage one or more Suppliers to:
• Assess the primary threats facing the Bank with a particular focus on the potential threats emanating from the:
o Adoption of new technologies by the Bank;
o Expansion of the Bank’s operations into new regions and the cyber security threat/risk this brings;
• Analyse the wider International Financial Institution (IFI)/Financial Institution (FI) threat landscape and use this information to benchmark how the Bank’s information security controls compare to those in other international financial institutions (IFIs);
• Propose an IS Strategy for the Bank;
• Based on this threat assessment, scope and/or undertake detailed IS Risk Assessments (ISRAs) using the Bank’s new Operational Risk Tool. This tool is the ‘ARC Logics’ product from Wolters Kluwer Financial Services (WKFS) and will be used to support implementation and monitoring of the Bank’s Information Security Management System (ISMS), in line with the requirements of ISO/IEC 27001:2013 (the international standard for information security management).
This is collectively referred to as the “Assignment” and is summarised in Figure 1 below. Produce IS Threat Assessment ,
Benchmarking and Strategy Reports
• IS Threat Assessment Report • IS Benchmarking Report • Proposed IS Strategy Report
Perform IS Risk Assessments (ISRAs)
• Populated Operational Risk Tool for IS
Perform ISRA Scoping
• ISRA Scoping Document
2. Scope of Services
The Supplier (s) shall provide one or more of the services as follows:
a. Produce IS Threat Assessment, Benchmarking and Strategy Reports Produce a high-level IS Threat Assessment Report for the Bank, taking into account:
• The Supplier’s experience/knowledge of other similar IFIs/FIs;
• Knowledge of the risks and threats from new technologies adopted, or planned to be adopted, by the Bank;
• The Bank’s expansion into new regions (e.g. considering current socio-political developments in relevant regions, for example, the Middle-East and Europe).
Produce an IS Benchmark Report summarising how the Bank’s information security controls compare to other IFIs and regulated FIs, together with detailed recommendations for improvement. It should be based on:
• The Consultancy/Consultant’s experience/knowledge of other similar IFIs/FIs; • Interviews with relevant Bank personnel;
• Other IS-related review/audit reports to be provided by ORIS; • The findings of the Threat Assessment Report (see above).
The IS Benchmarking Report will consider, as a minimum, the top level control headings in Annex A to ISO/IEC 27001:2013 and suggest potential improvements in terms of governance, process and/or technology. This report will also include an Executive Summary suitable for non-security/risk/technical specialists.
Produce an IS Strategy Report for the Bank, detailing the vision and outline roadmap for the Bank to be in the top quartile of its peer organisations with respect to IS, within the context of the risk areas described above. It should include detailed objectives, a roadmap for achieving them over the next three years, and indicative costs associated with this. This strategy should also take into account the Bank’s IT Strategy.
Deliverables:
i. IS Threat Assessment Report; ii. IS Benchmark Report; iii. IS Strategy Report;
iv. Meeting notes as required by the EBRD Operation Leader. b. Perform IS Threat Assessment and ISRA Scoping
Produce an ISRA Scoping document which will scope and prioritise the ISRAs that will need to be performed (see item 2.c below). The currently planned ISRA scopes (and the priority for doing them) are shown in Figure 2 below, but these should be considered as a starting point only.
1. Physical Environment (HQ, ROs) 2 . P e rs o n n e l 6 . T h ir d P a rt ie s (P a rt n e rs , S u p p lie rs ) 3. IT Infrastructure (Network, Gateways, Monitoring, Servers,
Unstructured Data, Wireless, Backups)
7 . E x te rn a l A p p lic a ti o n s (n o n -B a n k ) 2 a . S o c ia l M e d ia 4. Business Applications
(Banking & Treasury Systems, HR Systems, BOLDnet, Other Business Systems (incl. xxxxLink, Collaboration Zones))
5. Endpoint Computing
(Desktops, Laptops, Other Mobile Devices, BYOD)
Risk and action tracking and reporting KEY: High Priority Medium Priority Low Priority
Figure 2: Current ISRA Scopes and Priorities Deliverables:
i. ISRA Scoping Document;
ii. Meeting notes as required by the EBRD Operation Leader. c. Perform IS Risk Assessments
Manage IS Risk Assessments (ISRAs), based on the scope and priorities defined in the ISRA Scoping Document (see item 2.b.i above) and in accordance with the process defined in the Bank’s IS Risk Assessment Procedure (ISRAP) (Risk Assessments to be performed by the selected Supplier and relevant business representatives).
The results uploaded into the Operational Risk Tool will include at least the following: • Business impact assessment in terms of confidentiality, integrity and availability; • Threat and Likelihood assessment;
• Controls effectiveness assessment, based on a proposed risk treatment plan; • Residual risk rating based on the above;
• Actions/issues arising as a consequence of any of the above;
Once submitted, ORIS staff will review and approve the ISRAs using the Operational Risk Tool and track actions/issues requiring resolution.
Note that depending on accessibility to other Bank staff/resources (e.g. in the IT Department) it may take several months duration to complete these ISRAs.
Deliverables:
i. Updated Operational Risk Tool, containing the results of the ISRAs; ii. Meeting notes as required by the EBRD Operation Leader.
3. Implementation Arrangements, Deliverables and Reporting
The Supplier(s) shall report to Julie Williams, the Head of Operational Risk and Information Security, on all aspects of their activities and liaise on a day-to-day basis with Imran Akhtar, the Senior Information Security Manager.
Meetings/interviews with Bank personnel will be held at EBRD’s London Headquarters. The Supplier(s) shall provide the following deliverables:
• Summary Progress Reports/Meeting notes as required;
• Written Draft Deliverables on all services/findings as defined in Section 2 to be submitted to Director, Operational Risk and Information Security in an agreed format, no later than 4 weeks after commencement of each aspect of the Assignment (or as otherwise agreed); • Written Final Deliverables on all services/findings as defined in Section 2 to be submitted to
the Director, Operational Risk and Information Security in an agreed format no later than 5 working days after having received the EBRD’s comments and/or request for clarifications on the Draft Deliverable (or as otherwise agreed);
• Presentations, if required, to EBRD’s Information Security Committee (ISC) and other Bank bodies, of aspects of this Assignment.
Services 2.a and 2.b above are expected to be provided to the Bank on a fixed price basis per deliverable; Service 2.c is expected to be based on a time & material basis, assuming a Central London location.
As professionals, the Supplier shall not be subject to supervision direction or control as to the daily activities or the manner of performance thereof, and itself accepts the responsibility for the proper provision of Services in accordance with this schedule and within the deadlines for services and/or submission of deliverables as stipulated this schedule.
There is no obligation on the Bank to require Services on any particular day (other than for previously agreed meetings), and no obligation to make payment in respect of any periods during which the Services are not required, or during which the Services are not in fact provided.
Annex C Technical Proposal Submission Requirements:
In order to determine the capability and experience of Suppliers seeking to be selected for this Assignment, the information submitted must include the following:
1. Cover letter - summarising how the requirements in Annex B will be met.
2. Curriculum Vitae - should be detailed and include full descriptions of responsibilities
carried out, not just a job title.
3. Supplier Profile - defining the Supplier fee rate per working day (in GBP). 4. Sample Report (sanitised as required) to show the quality of final deliverables
plus responses to the following questions:
Question 1: Please describe where you have performed threat benchmarking exercises and produced
IS strategies
Question 2: Please describe where you have undertaken information security assessments based on
IRAM risk methodology (or equivalent)
Proposals should be submitted, in English, by e mail, to reach the Bank not later than the Proposals Due Date in the timetable within this RFP.
Annex D Contract Template
