Call for Applications by The Institute for War & Peace Reporting (IWPR): Data Protection Consultant
Title of Assignment: Data Protection Consultant
Location: Armenia
Duration: From: July 15, 2024 To: November 30, 2024
Application Deadline: July 5, 2024
Background, Objectives and Justification
The Institute for War & Peace Reporting (IWPR) is an independent not-for profit organisation that works with media and civil society to promote positive change in conflict zones, closed societies, and countries in transition around the world. As part of its program activities, IWPR, in partnership with the Global Network of Women Peacebuilders (GNWP), is implementing its initiative Building Resilience in the Eastern Neighbourhood (BREN), which is supported by the UK Government’s Integrated Security Fund (ISF).
IWPR’s BREN program seeks to strengthen the resilience of non-state actors, including marginalised communities, and enhance their ability to deliver transformative, inclusive, and sustainable contributions to peace, stability and security in Armenia, Azerbaijan, Georgia, and Moldova.
Civil society organisations (CSOs) in Armenia, Georgia, Moldova, and Azerbaijan face a range of challenges and threats to their work. Various research carried out with the support of ISF (including BREN’s own research) indicates CSOs in the region are especially vulnerable to cyber-attacks, including data breaches and theft, due to lack of cyber security threat awareness and protective measures, amongst other reasons.
Already at risk of cyber attacks as is any country, Armenia faces exacerbating circumstances in the immediate term with the occurrence of significant events, including the 1325 National Action Plan discussions and border demarcation process.
Building on IWPR’s previous activities involving this subject matter, IWPR is seeking a local expert consultant in Armenia to support strengthening data, information, and communications protection practices among up to 10 CSOs. The activity’s objective is to strengthen the CSOs’ data and communications protection practices to protect sensitive information from internal and external unauthorized access and usage. (Note: Most of our potential trainees have already had basic cybersecruity instruction. We are not looking for a basic cybersecurity training course. Instead, we are looking for data protection topics. See below under Suggested Data Protection Training Topics for potential topics that should be addressed in the training).
All trainers and mentors must speak Armenian. The services are scheduled to be delivered over four-months, running from 15 July 2024 to 30 November 2024.
Scope of Work
The Consultant will support implementation of data, information, and communications protection strategy, policies, and procedures based on best practices among participating CSOs, as follows:
1) Provide one hybrid in-person/remote half-day training on data, communications and information protection best practices. (Up to 10 CSOs are eligible to participate in the training. Each CSO may send up to 2 participants, for a total number of 20 training beneficiaries). Some CSOs are located outside of the city and will not be able to attend in person, so the training must be offered online with two-way engagement). See below for suggested topics that should be covered during the training;
2) Conduct an audit of the participating CSOs’ data, communications, and information security practices, identifying weaknesses. (Up to 10 CSOs are eligible to participate in the audit);
3) Collaborate with the CSO to develop a data, communications and information security strategy, policies and procedures, and corrective action plan, as needed, based on best practices (Up to 10 CSOs are eligible to participate in this activity);
4) Mentor the CSO as it implements the plan. Each CSO may receive up to 4 hours of mentoring during the project period. Up to 10 CSOs are eligible to participate in this activity. Mentoring hours must not exceed a maximum of 48 hours total for all CSOs combined.
Suggested Data Protection Training Topics
1. Understand data technologies and databases
- Database models (One-tier, two-tier and three-tier models)
- Data storage options (cloud, local)
-- Best practices
-- Recommendations of cloud providers (or what to look for in a cloud provider)
2. Identify and classify sensitive data; implementing access controls
- Public data — Data that does not need special protection and can be shared freely.
- Private data — Data that employees may access but that should be protected from the wider public.
- Confidential data — Information that may be shared with only selected users, such as proprietary information and trade secrets.
- Restricted data — Highly sensitive data, like medical records and financial information that is protected by regulations.
3. Access controls (physical, technical and administrative)
- Administrative controls (supervisory responsibility, employee training, employee termination procedures, e.g. cutting access)
- Technical controls (data storage, permissions, access control lists, security devices and methods (data loss prevention, firewalls, NAC, proxy server)
- Physical controls (locking down computers/work stations, BIOS password control.)
4. Laptop and mobile device security
- Best practices: Encryption, public wifi usage, VPNs, strong passwords, camera vulnerabilities and usage in the office
5. Data encryption (laptops, phones, computers, etc).
- Best practices
- Recommended encryption tools (or what to look for in an encryption tool)
6. Data back up
- Best practices
- Recommended tools (or what to look for in a data back-up tool)
7. Harden the organization’s systems
- Reconfiguring the operating system’s default/baseline settings.
- Web servers (Best practices controls (updates, permissions)
- Email and email servers (best practices configurations/settings)
8. Timely implementation of updates/ patch management
9. Protecting data from insider threats
- Authorized users misusing right and privileges
- Unauthorized users gaining access from inside the office, e.g., unprotected wireless network.
- Remote access vulnerabilities
10. Endpoint security tools (options, best practices, recommendations)
--- Antivirus software
--- Antispyware
--- Pop-up blockers
--- Firewalls
11. Securing/locking and recycling of equipment
Secure workspace area, disposing of trash, destruction of sensitive data, ID cards, access to keys, lock codes, discarding/recycling computers, phones, etc.
12. Provide a model/template data usage policy
Main Deliverables and Timeline
Deliverables |
Timeline |
Payment upon deliverables approval |
1) In consultation with IWPR, finalize the detailed workplan and develop the monitoring, evaluation and learning (MEL) framework for the project. |
1 week: July 2024
|
At Milestone 1 below |
2) Conduct 1 half-day hybrid (in-person with remote option) training on data, communications and information protection. (Up to 20 CSO representatives attending). |
½ day: July 2024
|
Milestone 1: After the training is conducted and submission of the required invoice. |
3) Conduct data, communications and information security audit of each participating CSO (up to 10 CSOs). |
July-August 2024
|
At Milestone 2 below. |
4) Develop data, communications and information protection strategy and corrective action plan, as needed, with each participating CSO based on best practices |
September-October 2024 |
Milestone 2: After the plans are delivered to the CSOs and submission of the required invoice. |
5) Mentor each participating CSO with implementation of the strategy and corrective action plan (up to 4 hours of mentoring per CSO). Mentoring hours must not exceed a maximum of 48 hours total for all CSOs combined. |
September-October 2024.
|
At Final Payment below. |
6) Prepare MEL report and submit to IWPR. |
Due November 15, 2024 |
Final Payment: After delivery of the MEL report and submission of the required invoice. |
Budget
Please submit a budget for IWPR’s review.
- The budget should include all project-specific costs and expenses, including trainer and mentor fees, travel, etc. Consultant fees should be expressed in terms of an hourly or day rate, as applicable.
- The Consultant does not need to include logistical costs related to providing the in-person training, e.g. venue, catering, teleconferencing set up. IWPR will directly coordinate and fund such logistics.
Payment Schedule
The consultant will invoice for services rendered based on the Milestones identified in the table above.
Work Relationships
The Consultant shall report to and work directly with the BREN Capacity Building Manager. The Consultant will also work with IWPR’s respective country coordinators in each country.
Application and Evaluation Process
The Consultant should submit the following to [email protected] by no later than July 05, 2024:
- Proposed work plan, including sample training agenda and topics and training plan and schedule.
- Description of the organization or trainers/mentors and their respective experience and capabilities related to subject matter of this ToR.
- CVs of all proposed trainers and/or mentors.
- Itemized budget for all costs and fees based on the chart in item 3 above (detailed costs in British Pound Sterling (GBP £), with applicable Tax/Charges clearly identified, and provided against each of the categories of services described in the chart.)
- Contact name, email address, and telephone number to facilitate communication between IWPR and the Consultant.
Applications will be evaluated based on the following criteria:
Experience – 30 points: Ability to deliver all the requirements required by IWPR
Price – 30 points: Value for money
Technical- 40 points: Responsiveness to the ToR specifications and requirements.
Evaluation criteria |
Evaluation sub-criteria |
Points |
Max points |
Experience (30 points) |
|||
Organisational and/or individual experience |
Experience in the subject matter of the ToR; prior work with CSOs; personnel and/or organisational resources are adequate and appropriate to implement the ToRs activities |
|
30 |
Price (30 points) |
|||
Budget reasonableness |
Completeness of budget; all budget items are necessary and appropriate; price reasonableness; value for money? |
|
30 |
Technical (40 points) |
|||
Proposal/Work Plan |
Does the proposal clearly explain, understand and respond to the requirements as stated in the Terms of Reference? |
|
40 |