Key Tasks:
The purpose of IT security audit is to provide an independent evaluation of Applications, Database, Server Architecture and Network infrastructure to identify any gaps in systems and an adequate IT security framework in accordance with best practices of industrial Enterprise Architecture Framework. The scope would include assessment of Living Goods’ applications, security settings, server, Network and associated IT infrastructure. The main goals of the security audit are the following:
State of affairs report: To review the overall application and network technical design and deployment with a view to determining whether these designs are fit for purpose and what gaps and holes exist within these designs and deployments.
Application software architecture review: To provide assurance that the technical architecture of the SmartHealth, Supervisor and other operational and ancillary applications meet the current and future needs of the organization. The auditor must assess control and authorizations, error and exception handling, business process flows within the application software and complementary controls (enterprise level, general, application and specialist IT control) and procedures and validation of reports (both operational and financial) generated from the system.
Network architecture and security review: Given that the environments that Living Goods operates in possess different policy frameworks dictating the storage and transmission of healthcare and financial data, we are keen to have the consultant perform a network and data transmission security audit to outline the threats and gaps that are presented by this. The aim of this audit is to provide assurance that the components of our deployments (databases, web and application servers, cache systems, along with other systems) are fully secure and are corresponding to the controls objectives of the control system. Review of internal and external connections to the system, perimeter security, firewall review, router access control lists, port scanning and intrusion detection are some typical areas of coverage.
Data integrity review: To provide assurance that the database design and structure provides the best possible design for the organizational needs and corresponding application and future integration needs. The purpose is the scrutiny of live data to verify adequacy of controls and impact of weaknesses, as noticed from any of the above reviews.
Business continuity review: The review includes existence and maintenance of fault tolerant and redundant hardware, backup procedures and storage, and documented and tested disaster recovery/business continuity plan, effectiveness of disaster recovery plan, as well as ensuring existence of well-defined I.S Audit manual and its compliance thereon.
Responsibilities:
A comprehensive Digital Applications, Information Systems Security Audit must be undertaken covering various key processes and procedures undertaken at multiples sites:-
Penetration testing and Vulnerability assessment
Application software architecture analysis
Scaling and expansion options and policy framework
Data integrity audit
Security& Privacy policies
Business continuity assessment
Change Management procedures
Logical Access Controls
User Management and Security audit
Performance, Scalability and Availability audit
Consistency with requirement Specification audit
Incident management
Backup practices
Software Document Management
Deliverables:
The consultant will be required to provide following deliverables:
State of affairs report
Application software architecture audit report
Data integrity audit report
Business continuity audit report
Network security audit report
Backup practices report
Inception report
Draft Gap Analysis report, with recommendations, and
Final Comprehensive report
Minimum qualifications and experience:
Technically sound. You have a Masters-level degree in public health, international development, and/or university degree in information and communication technology or computer science. You have 5+ years of experience implementing digital health or large-scale projects at global level, as well as providing technical assistance to government, donors and/or implementing partners.
Stakeholder Management. You understand how national stakeholders operate and can corelate expectations of the key players i.e. government staff, implementing partners, donors, etc. in digital and/or community health. You are well versed with the stakeholder landscape, coordination norms, and decision-making protocol to ensure efficient alignment.
Articulate. You are fluent in written and spoken English. You have excellent communications skills, both orally and written, for policy briefs, PowerPoint presentations, et cetera.
Analytical. You have exceptional analytical skills. You possess critical thinking skills to enable troubleshooting in unpredictable environments.
Adaptable. You are eager to work with people of different technical backgrounds: the private sector, social entrepreneurial sector, non-profit sector and public health community. You have proven ability to contribute and to succeed in a fast-paced setting that requires independent thinking. You are solutions oriented.
Project management master. You are disciplined, methodical, and organized. You are detail-oriented in your knowledge management and information systems, from email to Dropbox folders. You keep your eyes on the prize, but also set and achieve collective goals with others along the way. You are self-directed and able to move things forward with limited input from others.
Team player. You play well with others and enjoy seeing the impact of our work as a team.
Multitasker. You’re able to juggle multiple tasks at once while ‘keeping calm and carrying on.’ You think strategically, handle ambiguity, and work well in a multicultural environment.
EVALUATION CRITERIA:
The evaluation criteria for evaluation of the proposal will be as mentioned below:
Work experience in a Consulting Firm
General Experience
Special Experience
Qualification and Experience of Manpower
Team Leader
IT Expert
Methodology of Job accomplishment and work plan
Knowledge Transfer
Understanding of TOR
