Terms of Reference
Consultancy to implement best practice data security solutions within the organization
 For Max WASH II program  
Max Foundation, Bangladesh

  Organization

  Max Foundation, Bangladesh

  Duration of Assignment

 30 Days

  Expected Start Date

  March 15 , 2018 ( tentative date )

  Position Type

  Consultant/ service provider

  Work name

  To Implement best practice of  data security
  solutions within the organization and equip it with
  effective and efficient  guidance and tools on
  data protection

  Submit Application to

  Sr. Manager MEL, Max Foundation, Bangladesh Office

  Application Deadline

  8th March 2018

1. Background 
                                               
Max Foundation (MF) was founded in 2005 by Joke and Steven Le Poole, following the death of their son Max in 2004. Max died when he was only eight months old, of a rare viral infection.

Steven and Joke wanted something positive to come out of Max’s death. To spare other parents such deep pain, and give as many children as possible the future that Max didn’t have, they set up Max Foundation.
With the support of many donors and volunteers Max Foundation has grown into a professional organization.

2. MF Approach

MF finances small scale Water, sanitation & hygiene (WASH) and health programme, implemented in the poorest and most remote regions of Bangladesh by local partner organizations.
MF standardized and improved its approach to further increase impact per euro. Recently the organization planned to implement Payment by Result (PbR) in MAX WASH II program, a S.M.A.R.T. and innovative monitoring and evaluation system which measures outputs, outcomes and impact of program in the communities. PbR is a partner management system, which replaces (often on a partial basis) input-based funding with output based funding. In this modality the provider of the service is only paid upon objective verification of pre-defined outputs, outcomes and impacts.

MF already has planned to implement this system to its implementing partners in Bangladesh Though the concrete PbR system implements between funding agencies and international NGOs. This is a shift away from the more traditional input based focus of development payments that see partners get paid first and deliver results second.
PNGOs of MF are collecting beneficiary data through tablets using android application from filed. Field officers of PNGOs are doing this important task and the collected data goes to cloud directly which can be accessed by the partner NGOs and MF. This collected data includes details of the beneficiary including their demographic information, contact number, status to access safe water, improved sanitation system and few others project related information. As this data consists of personal level information this is very important to protect from any unauthorized access. These databases that have been created or are being maintained by MFB are of great financial value. For example, a database containing home addresses, contact number, investment in water and sanitation, and SRHR information of individuals is of great value to retailers, who, based on this information, can target advertisements, market their products and arbitrarily limit competition. Moreover Max Foundation has already set up a call center to verify the collected data calling the beneficiary or his/her recommended contact person. The voice recording of call center is also very important data to guard from illegal use or distribution. All sort of unauthorized access of personal data is a great risk for MFB as per personal data protection laws of Government of Bangladesh and the consultancy is about minimalizing and mitigating this risk.

3. Objective of the Assignment and Service options

The specific objective of this consultancy assignment is to provide clear understanding of legal situation and obligations for Max Foundation while dealing with this amount of personal data. The consultant will review the existing infrastructure and systems and recommend improvements (antivirus, software, firewall, security policy/ strategy, any smart/proven technology, disaster recovery plan etc.) to make the data highly secured from any unauthorised access. Sometimes internal employee or closed stake holders can create security breach. So the consultant should prepare non-disclosure agreement which will be in accordance with applicable laws of Government of Bangladesh and widely accepted regulations internationally.

4. Scope of Work

The consultant will work on the following areas

1. Need Analysis: What needs to be done to implement best information security and data protection policies and practices so that data is only used in authorized ways and ensuring legal compliance of Government of Bangladesh.
2. Risk Analysis: What are the risks regarding data security
3. Risk Mitigation Framework: How to remediate risks, the treatment Plans
4. Policy Development: Data security policy development
5. Agreement with stakeholders: Preparing non-disclosure agreement with staffs and stake holders
6. Disaster Recovery Plan: Recommendation for smart disaster recovery plan.
7. Virus free environment: Recommendation for virus free environment

Detail Scope of work:

A. Human level security breach

  • What needs to be done for security breach caused in human level? How Max Foundation Bangladesh can be legally protected in case of any data security breach incident?

B. Software and Services

  • What type of software and services need to be implemented to make Max system more secured and threat free from any unauthorized access.
  • Time, budget and design needed to make the software and services operational with existing system.

C. Hardware requirement

  • What type of additional hardware need to be implemented to make Max system more secured and threat free from any unauthorized access?
  • Time, budget and design needed to make the hardware operational with existing system.

D. Disaster Recovery Plan

  • Need to submit a complete disaster recovery plan mentioning time, budget and design

E. Virus free environment

  • Need specific recommendation to make the network completely virus free

5. Expected Deliverables by the consultant

  SL#

  Modules Name

  Features

  1

  Final/Complete report
  on data security

  • A complete report with recommendation to implement best information security and data protection policies and practices. This includes list of possible risks and their remediation.

  2

  Data security policy
  development

  • To make Max Foundation Bangladesh legally protected for any case of data security breach. This includes non-disclosure agreement developed for internal employee and other stake holders.

  3

  Smart disaster recovery
  plan with a virus free
  environment

  • To prepare a smart disaster recovery plan for Max foundation Bangladesh. This also includes recommendation to make the IT environment virus free.

6. Time frame

This is expected to start on 15 March 2018 for an estimated duration of 30 calendar days. This will include discussion with team members and stake holders, review of existing systems and infrastructure, analysis and draft report sharing.
The consultant will submit a proposed work plan with key milestones within three days of signing the contract; this work plan will be reviewed and approved by MFB. It is anticipated that the final report will be produced within 30 calendar days of signing of the contract. While the draft report is produced, it should be shared with MFB will provide feedback on draft report by three days after receiving the draft report. During the whole period of the assignment, follow up meetings will be held between the contracted consultant/consulting firm and Max Foundation Bangladesh as possible.

7. Roles and responsibilities of the Consultations and Max Foundation

Max Foundation will facilitate and provide arrangements and support services/ facilities for the work of the consultant.

8. Payment schedule

Payment will be made in a/c payee cheque or through bank transfer on submission of invoice. 30% payment on submission of data security policy and work plan, 70% on submission of smart data recovery plan and final report.

Note. The selected firm/individual will submit an invoice as per payment schedule.  Tax and VAT will be deducted at source from the bills payable to the selected firm/individual. If the selected firm has tax/VAT exempted status or have any kind of waiver, will submit necessary supporting documents with the proposal.

09. Eligibility of the individual Consultant/Firm

  • The consulting party should have experience with both the legal part (both obligations as mitigating contracts) as well as technical solutions.
  • B.Sc/M.Sc degree in Computer Science/engineering, Information Security, Cyber Security or related fields is required.
  • Professional industry certifications and experience in networking systems and network security is recommended.
  • Certification in CISA/ISMS, CEH/CHFI is expected. CISM/CISSP would be an advantage.
  • Minimum 5 years of Working experience in Information Security field.

10. Terms and conditions

  • Max Foundation reserves the right to accept or reject any proposal without giving any verbal and or written rationale or whatsoever
  • Max Foundation  reserves the right to monitor the quality and progress of the work during the assignment
  • Before payment,  Max Foundation may review the supporting vouchers in connection with the submitted invoice
  • Failure of delivering  outputs before the set deadlines may  result in penalties  as per the existing policies of Max Foundation

11. Proposal Submission guideline

  • Submit electronically to the email address: hrmmfb@gmail.com  any other e-mail account, except the above, will result in disqualification
  • Please mention in the subject of the email application- “Proposal to implement best practice of data security solution
  • Last date of submission is 8th March 2018 at 5 PM. Submission after deadline will result in disqualification
  • Submit your financial, technical proposal (according to the template), CV, profile, TIN certificate and other required documents with the mail and in one zip folder.
  • Please note: both the technical as well as the financial proposal must be no longer than 05 pages (maximum) and must be submitted in PDF format.