A draft Terms of Reference IDF Grant for Computer Incidence Response Team and Policy and Regulatory Issues in the Telecom Sector Project Consultancy Services for Implementation of national CIRT (BtCIRT) BHUTAN 1 BACKGROUND The Ministry of Information and Communications, Royal Government of Bhutan has received financing from the World Bank toward the cost of the Establishing Bhutan Computer Incident Response Team ( BtCIRT) and capacity development, and intends to apply part of the proceeds towards payments under the contract for hiring the consultancy services to establish BtCIRT, user requirement specification and computer networks, preinstallation and preparation of a step-by-step guide for network and hardware, installation and testing of software, and any further enhancements required for application and training. The consultant shall work with the Department of IT & Telecom (DITT), Ministry of Information & Communications (MOIC). 2 OBJECTIVE The overall objective of the project is to set up a fully operational BtCIRT within the Department of IT & Telecom (DITT) in the Ministry of Information and Communications (MoIC) in order to coordinate information flow, respond to/manage cyber threats and enhance cyber security in the country. The BtCIRT will serve as a trusted and central coordination point of contact for cybersecurity; aimed at identifying, defending, responding to and managing cyber threats. 3 PURPOSE The establishment of BtCIRT is needed to help ensure the protection of the nation’s Critical Information Infrastructures, assist in drafting the overall plan on the country’s approach to cybersecurity related issues, and thus can serve as a focal point for further building and implementing the National Culture of Cybersecurity. BtCIRT is a key component of a national approach to cybersecurity and is a cornerstone upon which other cybersecurity related activities could be linked. In this respect, the establishment of a national CIRT, and development of related processes at the national level, can also serve as a foundation for the development of the following activities: ● Building a knowledge base that supports the country’s development and implementation of a national cybersecurity strategy as well as a national approach for the protection of critical information infrastructures; ● Supporting the building of a national culture of cybersecurity, and related awareness raising initiatives among public officials and the public in general; ● Supporting the development of related national cybersecurity platforms, for example: the national Public Key Infrastructure, e-Government framework and approach, national identity and access management framework, combating SPAM, botnets, etc; ● Assisting in the planning/development of a national strategy on child online protection; ● Further enabling the country to develop and enhance its national incident response and management capabilities. 4 SCOPE The Scope for this project is as below: i. Assessment Stage ● Prepare the Guidelines on National CIRT - Team Forming and Hardware/Software Required so the country can do site preparation ● With the assistance of the identified CIRT team members, define the roles and responsibilities that the CIRT should operate on ● CIRT awareness training and capacity building where explaining the tasks and task objectives to the team members and constituencies of the country ● Prepare necessary toolkits to do a proper project-kickoff based on best practices and experience ● Prepare and conduct capacity building activities, training the CIRT country team to provide awareness of their existence and role as CIRT ● Current Legislation Status, policy & Strategy, standards on Cybersecurity ● Identify the project stage risks and prepare mitigation plans ● Information gathering (Gap analysis) related to the country’s laws, politics, cultural, existing critical resources and infrastructure, current incidents and trends. ● Prepare the plan based on combination of best practices and assessment of the country’s cybersecurity readiness ii. Planning & Design Stage ● Outlining the requirements and activities of the national CIRT, how it will operate, etc more detailed approach ● Identify Technical specifications of Hardware/Software requirement ● Design of Network for BtCIRT ● Plan for the establishment of the secure communication channels between various constituencies that will be served by CIRT ● Identify the requirements and activities needed by the public and private sectors to have the CIRT operate successfully ● Based on the CIRT team members assessment, define clearly their roles, responsibilities and knowledge that is needed to run CIRT Operations ● Help in specifying the incident management processes related to each critical sector they are serving ● Developing the standard set of criteria and consistent terminology for categorizing and defining incidents activities and events ● Developing the definitions of the incident handling guidelines, reporting requirements, and processes of how the BtCIRT will interact with the constituency of other partners like academia, industries, civil societies, law enforcement agencies, international organizations, etc. ● Identifying the existing disaster recovery, incident response plans, business continuity plans, crisis management or other emergency response plans ● Determining the needed processes for integration to the existing disaster recovery, incident response plans, business continuity plans, crisis management or other emergency response plans ● Identifying and determining the possible constraints that might affect the development of processes and mitigation strategies ● Developing strategies and methods for building trusted relationships and collaboration with other partners or stakeholders ● Identifying and Defining the coordination workflows with constituency and partners on incident response ● Defining the methods to be used for information dissemination to the constituency. ● Identify countries for a study visit who had successfully implemented CIRT 5 iii. Implementation Stage ● Implementing the definitions of the incident handling guidelines, reporting requirements, and processes of how the Bhutan CIRT will interact with the constituency of other partners according to the design ● Installation and configuration/customization of the Software applications environment for the CIRT operations (Incident handling, escalation, service desk) ● Implement strategies and methods for building trusted relationships and collaboration with other partners or stakeholders ● Finalising and implementing the CIRT Processes & Workflow ● Finalising the CIRT Policies and Procedures, legal & regulatory framework, standards, etc. ● Preparing Training Materials and User Guides ● Installation and Configuration of Network ● Conducting System Integration Tests ● Preparing Application Installation Guides ● Organize a study visit iv. Operations Stage ● Conducting Post Implementation Reviews SCHEDULE and MILESTONE The project milestone is depicted as below: Milestones 1. Kick-Off Meeting 6 Contract signing + 1week 2. Planning and Design Stage Contract signing + 5 weeks 3. Implementation and Testing Stage Contract signing + 14 weeks 4. Operation Stage Contract signing + 22 weeks 5. Project Handover Contract signing +23 weeks 6. Project Closure Contract signing +24 weeks DELIVERABLES 1. Planning & Design Stage ● Create and Approve User Requirement Specification (URS) o Analysis of the environment and constituents; SWOT, PEST o Identify the constituency for the CIRT o Define Mission Statement for the CIRT o Determine CIRT Services o Determine reporting structure, authority and organisation o Define CIRT processes and workflow o Develop policies, procedures and documentation o Identify interactions with the constituencies o Define roles and responsibilities for interaction o Determine technology requirements: Technical specifications of hardware/Software requirement o Human resources requirements o Capacity building program o Communication Approach o Identify CIRT physical location ● Design CIRT according to URS ● Network design according to URS ● Installation and preparation step by step guide for network and hardware 2. Implementation & Testing Stage ● Installation and Testing o Incident reporting and tracking system o Installation and Configuration of Network o Helpdesk, website, mailing list software o Hardware & software, databases, data repositories, data analysis tools, etc. o Network Monitoring and log retention solutions ● Fine-tuning of CIRT Application and Training o Training of CIRT team on CIRT operation and incident response o Finalised CIRT processes and workflow o Finalised policies & strategies, procedures, standards and documentations o Assess infrastructure for the constituency o Hardware configuration and software installation o Address Legal issues o CIRT announcement 3. Operation Stage ● Service desk support for CIRT operations ● Post Implementation Review Report 7 SERVICES AND FACILITIES PROVIDED BY MOIC MoIC will facilitate the execution of the assignment by ensuring the cooperation of its key relevant bodies and sector stakeholders relevant to the process. The MoIC will also provide the following logistics support, if necessary: ● Office space in the DITT building ● Internet facility ● Local Telephone facility ● Shared printer of the office 8 REQUIRED QUALIFICATIONS, KNOWLEDGE AND EXPERIENCE ● A firm should have minimum of 5 years active experience in a similar task and minimum of following team members are required to complete the task: ● Team lead: Minimum qualification of Bachelor’s degree in ICT/Telecom/Computer with minimum of 5 year experience in a similar task ● Certified Incident Handler: Minimum qualification of Bachelor’s degree in ICT/computer with minimum of 2 year experience and certified Incident Handler ● Certified Forensic Analyst/Examiner: Minimum qualification of Bachelor’s degree in ICT/computer with minimum of 2 year experience ● Network Engineer: Minimum qualification of Bachelor’s degree in ICT/computer with minimum of 2 year experience in network designing for similar tasks and a solid understanding of networking, firewalls, and the various protocols involved in data sharing and communications ● System Engineer: Minimum qualification of Bachelor’s degree in ICT/computer with minimum of 2 year experience with Unix, Linux, Mac, and Windows systems and implementation of similar tasks. ● Web developer: Minimum qualification of Bachelor’s degree in ICT/computer with minimum of 2 year experience of web developing and hosting of similar tasks.