Request for bid for conducting of Information Technology audit of National Agency of Ukraine for Finding, Tracing and Management of Assets Derived from Corruption and other Crimes

General overview

EUACI is the comprehensive EU anti-corruption program in Ukraine financed by the EU and Denmark and implemented by the MFA of Denmark.     

The overall objective of the EU and Danish funding for anti-corruption efforts in Ukraine is to improve the implementation of anti-corruption policy in Ukraine, thereby ultimately contributing to a reduction in corruption. The EUACI is aimed at strengthening the capacity of the newly created anti-corruption institutions and enhancing external oversight over the reform process by the Verkhovna Rada, civil society and the media.

The work of the EUACI is streamlined through its 3 components: (1) strengthening the operational and policy-making capacities of state institutions dealing with the prevention and fight against corruption; (2) enhancing the capacity of local self-government, civil society, media, and business to contribute to the fight against corruption; and (3) increasing culture of integrity issues in Ukraine through the engagement of the business sector, the civil society and the media. 

Within component 1 the EUACI is working with the National Anticorruption Bureau of Ukraine (NABU), National Agency for Corruption Prevention (NACP), Assets Recovery and Management Agency (ARMA), Special Anticorruption Prosecutor’s Office (SAPO), State Financial Monitoring Service (SFMS), High Anti-Corruption Court of Ukraine (HACC), Parliament’s Committee on Anti-Corruption Policy (CAP).

Beneficiary

Subject to the continuation of the EUACI international technical assistance project for the period 2020-2024, ARMA and EUACI agreed on the work plan for cooperation during the implementation of the EUACI Phase II, which, inter alia, provides assistance to strengthen ARMA's IT capacity.

According to the work plan, it is envisaged that in 2021-2022 ARMA will conduct an IT audit, the conclusions and recommendations of which should form the basis of ARMA's IT Strategy, as well as become the basis for ensuring the safe operation and sustainable development of ARMA in the field of IT.

ARMA requests assistance to implement this activity to support its further needs for IT capacity building. 

In the course of the IT audit by ARMA’s request, it is planned to conduct an examination of:

• the computer system (network, server, and operating architecture, security infrastructure);
• the physical environment (physical infrastructure and organizational environment);
• the user environment;
• the information environment (processed information and technology of its processing).

During the first stage of implementation of this activity (August-October 2021) “Requirements for inspecting the components of the information and telecommunication system and its operating environments” were developed and approved by ARMA.

This TOR is based on the abovementioned document and contains the main requirements, technical and qualitative characteristics, the scope of work on the audit of information technology, namely information and telecommunications system (ITS) and its information environments of ARMA (hereinafter – ARMA ITS).

Owner of ARMA ITS: National Agency of Ukraine for Finding, Tracing and Management of Assets Derived from Corruption and Other Crimes.

The examination shall be restricted by the physical boundaries of ARMA’s premises where the ARMA ITS components are located (including ITSs of ARMA’s regional territorial units).

Contracting authority

The contracting authority is the European Union Anti-Corruption Initiative in Ukraine, supported by the EU and Denmark and implemented by the Ministry of Foreign Affairs of Denmark, hereinafter referred to as the Customer.

Purpose

The purpose of conducting the examination of ARMA ITS is the assessment of the existing IT resources’ conformity to the requirements of current business processes, identification of shortcomings, and drafting of recommendations for effective planning of the development of ARMA’s IT resources (development of an IT strategy for the ARMA capacity building).

Inspection of ARMA ITS should be conducted to prepare data for:

• recommendations for optimal development (upgrade) of ARMA ITS’s network, server and operating architecture, and of information processing technology in ARMA ITS;
• unification of the ARMA ITS components’ software and hardware;
• determination of the need to create (upgrade) KSZI in ARMA ITS and to design general requirements for the KSZI in the form of a description of each operating environment with identification of its components that may, either directly or indirectly, affect IS;
• identification of interference between components of various environments, documenting the inspection findings;
• determination of the feasibility and expediency of developing recommendations for a standard approach to the KSZI deployment in ARMA ITS (including KSZI in ITSs of ARMA’s interregional territorial units).

Deliverables from the ARMA ITS examination should be suitable for:

• development of ARMA IT strategy;
• designing the ARMA ITS development concept;
• designing the development (upgrade) plan for the ARMA information infrastructure;
• ensuring safe operation and sustainable development of the ARMA information infrastructure;
• planning and conducting penetration testing (pen test) of ARMA ITS;
• planning of advanced training for employees from the ARMA units responsible for the functioning of ARMA ITS.

Objective

The overall objective of this assignment is to conduct an examination of ARMA ITS, taking into account the above purpose and the fulfilment of the requirements described in this TOR.

In order to ensure the highest reliability and completeness of findings when organizing and conducting the ARMA ITS examination, the following basic principles for the conduct thereof shall be observed:

• independence, responsibility, and competence of the experts engaged in the conduct of the examination;
• completeness of the assessment;
• assessment based on available certificates, etc., for the ARMA ITS components.

Scope of Work

Examination of ARMA ITS (including ITSs of ARMA’s field offices) shall include, but not be limited to the following set of activities:

1. Preliminary review of ARMA ITS.
2. Planning the ARMA ITS inspection.
3. Examination of ARMA ITS and analysing the findings:
3.1. Examination of the components of ARMA ITS:

• network architecture;
• server architecture;
• operating architecture;
• physical infrastructure;
• security infrastructure;

3.2. Examination of the operating environments of the ARMA ITS components:

• information environment;
• user environment;
• organizational environment.

4. Documenting and approving the findings of the ARMA ITS examination.

A detailed description of requirements for examination is given in Appendix 1 of this TOR.

Deliverables

The following deliverables shall be provided by a Contractor:

1. Deliverables of the preliminary review of ARMA ITS

Deliverables of the preliminary review of ARMA ITS shall include, but not be limited to the working materials in which the experts who have analysed the relevant materials and reviewed ARMA ITS should state their opinion of:

• the degree of ARMA ITS’s conformity to the information provided;
• the completeness of the design, operating, regulatory and administrative documentation provided;
• justify the decision on the feasibility of carrying out further inspection work or on termination thereof;
• clarify proposals for the plan and sequence of carrying out any further work. 

Furthermore, recommendations may be given on the need to refine the submitted documents, develop additional documents or provide additional materials that should be used at subsequent inspection stages.

2. Deliverables from planning the ARMA ITS examination

Deliverables from planning the ARMA ITS examination shall include but not be limited to the ARMA ITS Inspection Program developed and coordinated with the ARMA.

When documenting the ARMA ITS Examination Program, experts should observe the requirements of GOST 19.301-79, DSTU 2853-94, other applicable standards and regulatory instruments in the field of IT and information protection, which concern the preparation and conduct of the examination.

3. Deliverables from the ARMA ITS examination and analysing the findings

Outcomes from the examination of ARMA ITS and analysing the findings shall include the performance of the full scope of the examination work stipulated by the approved ARMA ITS Examination Program by taking certain actions and conducting checks.

Deliverables from the ARMA ITS examination shall be finalized as the Examination Findings Report for the ARMA ITS components and their operating environments.

4. Deliverables from documenting and approving the ARMA ITS examination findings

Deliverables from documenting and approving the ARMA ITS examination findings shall include the compiled and approved Examination Findings Report for the ARMA ITS components and its operating environments.

Examination Findings Report for the ARMA ITS components and its operating environments, should include, but not be limited to the following parts:

1. findings of the ITS computer system analysis:

• network infrastructure;
• server infrastructure;
• operating infrastructure;
• security infrastructure;

2. findings of the ITS operating environment analysis:

• information environment (including processing technology);
• physical environment;
• user environment (personnel);

3. findings of the ITS organizational structure analysis:

• rules for the ITS operation;
• the structure and role composition of the ITS functional user teams;

4. findings of the analysis of information security provisions;
5. assessment of ITS assets and suggestions for optimal development (upgrade) of ARMA ITS’s network, server, and operating architecture, and of information processing technology in ARMA ITS;
6. suggestions for the unification of the ARMA ITS components’ software and hardware;
7. recommendations for the development (upgrade) of the KSZI in ARMA ITS, in the form of a description of each ARMA ITS’s operating environment, listing the components of various environments, which may, either directly or indirectly, affect IS;
8. opinions of the findings from the examination of the ARMA ITS components and its operating environments.

The Examination Findings Report for the ARMA ITS components and its operating environments shall be signed by the inspecting experts and duly approved by ARMA.

The Examination Findings Report for the ARMA ITS components and their operating environments shall be finalized and submitted according to the provisions of DSTU 3396.1-96, ND TZI 3.7003-05.

All documentation must be prepared in paper and electronic forms in Microsoft Word and/or Adobe PDF format.

Timing

The assignment shall start following a notification issued by the contracting authority, but not earlier than the date of signing the contract between the EUACI and the Contractor.

The intended commencement date of the conducting of the examination of ARMA ITS is 20 December 2021. The estimated time for the examination is up to 6 months starting from signing the contract. 

Methodology

It is envisaged that the assignment will be implemented by a team of experts familiar with the context and experienced with similar assignments.

By conducting the examination of ARMA ITS, a contractor shall work in close cooperation with the appropriate ARMA’s staff and shall perform on-site visits of the relevant services, desk review and consultations. The experts shall make use of all provided legislation, regulations, studies, reports and other relevant documents like statistics, background materials provided by the ARMA. Moreover, ARMA shall provide in due time any additional data, reports, analysis, statistics, studies, etc. identified as relevant by the experts during the lifetime of the implementation of this assignment.

By putting forward a team of experts, the Contractor shall ensure that the task will be developed with as much straightforwardness as possible, the proposed approach and the methodology shall be fine-tuned and a detailed work plan shall be elaborated. 

Estimated budget

The maximum budget for this assignment all included may not exceed DKK 223 067 (approximately EUR 30 000), including all expenses for travelling to ARMA’s regional territorial units.

Reporting and management

The performance of the Contractor will be judged upon reaching the purpose of this assignment as well as obtaining its results, as indicated in the section “Scope of work” and “Deliverables” herein respectively. 

By signing the contract, the Contractor agrees to hold in trust and confidence any information or documents, disclosed to the Contractor or discovered by the Contractors or prepared by the Contractors in the course of or as a result of the implementation of the contract, and agrees that it shall be used only for the task implementation and shall not be disclosed to any third party.

In the period until acceptance, the EUACI, Contractor, and ARMA will hold working meetings to exchange information and seek to clarify any questions of whatsoever nature. The purpose of the meetings is to ensure follow-up on any activities between the meetings, to maintain a common overview of the current stage of the assignment at a detailed level, and to ensure the day-to-day progress.

Background documents

The implementation of the assignment shall meet provisions of laws and regulations, such as:

• The Law of Ukraine on Information.
• The Law of Ukraine on Access to Public Information.
• The Law of Ukraine on Information Protection within Information and Telecommunication Systems.
• Rules for ensuring the protection of information in information, telecommunication, information, and telecommunication systems, as approved by the Resolution No. 373 of the Cabinet of Ministers of Ukraine dated 03/29/06
• DSTU 2226-93. Automated systems. Definitions.
• DSTU 3396.1-96. Information Protection. Technical Information Protection. Order of Carrying out the Works.
• DSTU 3396.2-97. Information Protection. Technical Information Protection. Definitions.
• DSTU ISO/IEC TR 13335-3:2003 Information Technologies. Guidelines for the Management of IT Security. Part 3. Techniques for the Management of IT Security.
• ND TZI 1.1-002-99 General provisions for protecting information in computer systems against unauthorized access
• ND TZI 1.1-003-99 Terminology in the field of protecting information in computer systems against unauthorized access
• ND TZI 1.1-005-07 Information protection at information activity facilities. Setting up a technical information protection complex. Key Provisions.
• ND TZI 3.7-003-2005. Procedure for setting up a comprehensive information security system in the information and telecommunication system.

How to apply

The deadline for submitting the proposals is 14 December 2021, 17:00 Kyiv time.

The bidder must submit the following information to be considered:

1. Brief company profile (maximum 2 pages).
2. The CVs of experts (no more than 3 pages for each expert).
3. List of projects with a short description (up to 3 projects), similar to this one, in which the experts involved in this project took part in the last 3 years.
4. Brief description of the methodology (no more than 4 pages) of the proposed consultation.
5. Financial proposal with a budget for services in Euros (including all expenses for travelling to ARMA’s regional territorial units).
6. Copies of certificates and permits as specified in Appendix 2 and Appendix 3 to this TOR.

The applicant should meet the qualification requirements as described in Appendix 2 of this TOR.

The proposals shall include the aforementioned information and should be submitted within the above deadline to: serkon@um.dk, indicating the subject line “ARMA IT audit”, 

Bidding language: English. 

Any clarification questions for the bid request should be addressed to: serkon@um.dk no later than 6 December 2021, 17:00 Kyiv time.