A draft Terms of Reference
IDF Grant for Computer Incidence Response Team and Policy and Regulatory Issues in
the Telecom Sector Project
Consultancy Services for Implementation of national CIRT (BtCIRT)
BHUTAN
1
BACKGROUND
The Ministry of Information and Communications, Royal Government of Bhutan has
received financing from the World Bank toward the cost of the Establishing Bhutan
Computer Incident Response Team ( BtCIRT) and capacity development, and intends to
apply part of the proceeds towards payments under the contract for hiring the consultancy
services to establish BtCIRT, user requirement specification and computer networks, preinstallation and preparation of a step-by-step guide for network and hardware, installation
and testing of software, and any further enhancements required for application and training.
The consultant shall work with the Department of IT & Telecom (DITT), Ministry of
Information & Communications (MOIC).
2
OBJECTIVE
The overall objective of the project is to set up a fully operational BtCIRT within the
Department of IT & Telecom (DITT) in the Ministry of Information and
Communications (MoIC) in order to coordinate information flow, respond to/manage
cyber threats and enhance cyber security in the country.
The BtCIRT will serve as a trusted and central coordination point of contact for
cybersecurity; aimed at identifying, defending, responding to and managing cyber threats.
3
PURPOSE
The establishment of BtCIRT is needed to help ensure the protection of the nation’s
Critical Information Infrastructures, assist in drafting the overall plan on the country’s
approach to cybersecurity related issues, and thus can serve as a focal point for further
building and implementing the National Culture of Cybersecurity.
BtCIRT is a key component of a national approach to cybersecurity and is a cornerstone
upon which other cybersecurity related activities could be linked. In this respect, the
establishment of a national CIRT, and development of related processes at the national
level, can also serve as a foundation for the development of the following activities:
● Building a knowledge base that supports the country’s development and
implementation of a national cybersecurity strategy as well as a national
approach for the protection of critical information infrastructures;
● Supporting the building of a national culture of cybersecurity, and related
awareness raising initiatives among public officials and the public in general;
● Supporting the development of related national cybersecurity platforms, for
example: the national Public Key Infrastructure, e-Government framework
and approach, national identity and access management framework,
combating SPAM, botnets, etc;
● Assisting in the planning/development of a national strategy on child online
protection;
● Further enabling the country to develop and enhance its national incident
response and management capabilities.
4
SCOPE
The Scope for this project is as below:
i. Assessment Stage
● Prepare the Guidelines on National CIRT - Team Forming and Hardware/Software
Required so the country can do site preparation
● With the assistance of the identified CIRT team members, define the roles and
responsibilities that the CIRT should operate on
● CIRT awareness training and capacity building where explaining the tasks and task
objectives to the team members and constituencies of the country
● Prepare necessary toolkits to do a proper project-kickoff based on best practices
and experience
● Prepare and conduct capacity building activities, training the CIRT country team to
provide awareness of their existence and role as CIRT
● Current Legislation Status, policy & Strategy, standards on Cybersecurity
● Identify the project stage risks and prepare mitigation plans
● Information gathering (Gap analysis) related to the country’s laws, politics,
cultural, existing critical resources and infrastructure, current incidents and trends.
● Prepare the plan based on combination of best practices and assessment of the
country’s cybersecurity readiness
ii.
Planning & Design Stage
● Outlining the requirements and activities of the national CIRT, how it will operate,
etc more detailed approach
● Identify Technical specifications of Hardware/Software requirement
● Design of Network for BtCIRT
● Plan for the establishment of the secure communication channels between various
constituencies that will be served by CIRT
● Identify the requirements and activities needed by the public and private sectors to
have the CIRT operate successfully
● Based on the CIRT team members assessment, define clearly their roles,
responsibilities and knowledge that is needed to run CIRT Operations
● Help in specifying the incident management processes related to each critical sector
they are serving
● Developing the standard set of criteria and consistent terminology for categorizing
and defining incidents activities and events
● Developing the definitions of the incident handling guidelines, reporting
requirements, and processes of how the BtCIRT will interact with the constituency
of other partners like academia, industries, civil societies, law enforcement
agencies, international organizations, etc.
● Identifying the existing disaster recovery, incident response plans, business
continuity plans, crisis management or other emergency response plans
● Determining the needed processes for integration to the existing disaster recovery,
incident response plans, business continuity plans, crisis management or other
emergency response plans
● Identifying and determining the possible constraints that might affect the
development of processes and mitigation strategies
● Developing strategies and methods for building trusted relationships and
collaboration with other partners or stakeholders
● Identifying and Defining the coordination workflows with constituency and
partners on incident response
● Defining the methods to be used for information dissemination to the constituency.
● Identify countries for a study visit who had successfully implemented CIRT
5
iii.
Implementation Stage
● Implementing the definitions of the incident handling guidelines, reporting
requirements, and processes of how the Bhutan CIRT will interact with the
constituency of other partners according to the design
● Installation and configuration/customization of the Software applications
environment for the CIRT operations (Incident handling, escalation, service desk)
● Implement strategies and methods for building trusted relationships and
collaboration with other partners or stakeholders
● Finalising and implementing the CIRT Processes & Workflow
● Finalising the CIRT Policies and Procedures, legal & regulatory framework,
standards, etc.
● Preparing Training Materials and User Guides
● Installation and Configuration of Network
● Conducting System Integration Tests
● Preparing Application Installation Guides
● Organize a study visit
iv.
Operations Stage
● Conducting Post Implementation Reviews
SCHEDULE and MILESTONE
The project milestone is depicted as below:
Milestones
1. Kick-Off Meeting
6
Contract signing + 1week
2. Planning and Design Stage
Contract signing + 5 weeks
3. Implementation and Testing Stage
Contract signing + 14 weeks
4. Operation Stage
Contract signing + 22 weeks
5. Project Handover
Contract signing +23 weeks
6. Project Closure
Contract signing +24 weeks
DELIVERABLES
1. Planning & Design Stage
● Create and Approve User Requirement Specification (URS)
o Analysis of the environment and constituents; SWOT, PEST
o Identify the constituency for the CIRT
o Define Mission Statement for the CIRT
o Determine CIRT Services
o Determine reporting structure, authority and organisation
o Define CIRT processes and workflow
o Develop policies, procedures and documentation
o Identify interactions with the constituencies
o Define roles and responsibilities for interaction
o Determine technology requirements: Technical specifications of
hardware/Software requirement
o Human resources requirements
o Capacity building program
o Communication Approach
o Identify CIRT physical location
● Design CIRT according to URS
● Network design according to URS
● Installation and preparation step by step guide for network and hardware
2. Implementation & Testing Stage
● Installation and Testing
o Incident reporting and tracking system
o Installation and Configuration of Network
o Helpdesk, website, mailing list software
o Hardware & software, databases, data repositories, data analysis tools, etc.
o Network Monitoring and log retention solutions
● Fine-tuning of CIRT Application and Training
o Training of CIRT team on CIRT operation and incident response
o Finalised CIRT processes and workflow
o Finalised policies & strategies, procedures, standards and documentations
o Assess infrastructure for the constituency
o Hardware configuration and software installation
o Address Legal issues
o CIRT announcement
3. Operation Stage
● Service desk support for CIRT operations
● Post Implementation Review Report
7
SERVICES AND FACILITIES PROVIDED BY MOIC
MoIC will facilitate the execution of the assignment by ensuring the cooperation of its key
relevant bodies and sector stakeholders relevant to the process. The MoIC will also provide
the following logistics support, if necessary:
● Office space in the DITT building
● Internet facility
● Local Telephone facility
● Shared printer of the office
8
REQUIRED QUALIFICATIONS, KNOWLEDGE AND EXPERIENCE
● A firm should have minimum of 5 years active experience in a similar task and
minimum of following team members are required to complete the task:
● Team
lead:
Minimum
qualification
of
Bachelor’s
degree
in
ICT/Telecom/Computer with minimum of 5 year experience in a similar task
● Certified Incident Handler: Minimum qualification of Bachelor’s degree in
ICT/computer with minimum of 2 year experience and certified Incident Handler
● Certified Forensic Analyst/Examiner: Minimum qualification of Bachelor’s degree
in ICT/computer with minimum of 2 year experience
● Network Engineer: Minimum qualification of Bachelor’s degree in ICT/computer
with minimum of 2 year experience in network designing for similar tasks and a
solid understanding of networking, firewalls, and the various protocols involved in
data sharing and communications
● System Engineer: Minimum qualification of Bachelor’s degree in ICT/computer
with minimum of 2 year experience with Unix, Linux, Mac, and Windows systems
and implementation of similar tasks.
●
Web developer: Minimum qualification of Bachelor’s degree in ICT/computer with
minimum of 2 year experience of web developing and hosting of similar tasks.