Consulting Services to Develop a Computer Incident Response Team (CIRT) Establishment Plan

REQUEST FOR EXPRESSIONS OF INTEREST

Organisation of Eastern Caribbean States
Caribbean Digital Transformation Project (CARDTP)
Grant No.: IDA – D6520

Assignment Title: Consulting Services to Develop a Computer Incident Response Team (CIRT) Establishment Plan

Reference No.: LC-OECS COMMISSION-311129-CS-CQS

The Organisation of Eastern Caribbean States (OECS) Commission has received funding from the World Bank toward the cost of the Caribbean Digital Transformation Project (CARDTP), and intends to apply part of the proceeds for Consulting Services to Develop a Computer Incident Response Team (CIRT) Establishment Plan.

The objective of the consulting services (“the Services”) is to develop a Computer Incident Response Team establishment plan (the “Plan”) for the use of its members, specifically Grenada, Dominica, Saint Lucia, and Saint Vincent and the Grenadines (“beneficiary countries”).  The Plan will reflect the common needs, requirements, and objectives of the beneficiary countries and will detail the services a national CIRT in the region should provide, its governance and organizational structure, its constituency, and necessary resources.  The Plan should also include a step-by-step roadmap for establishing a national CIRT.  The assignment is expected to be undertaken over a period of six (6) months.

The OECS now invites eligible consulting firms (“Consultants”) to indicate their interest in providing the Services. Interested Consultants should provide information demonstrating that they have the required qualifications and relevant experience to perform the Services. The minimum required qualifications and experience are listed in section 6 of Terms of Reference (TOR).  The details of the services required are available in the TOR which is available on the official website: www.oecs.org or can be obtained at the address given below.

The attention of interested Consultants is drawn to Section III, paragraphs, 3.14, 3.16, and 3.17 of the World Bank’s Procurement Regulations for IPF Borrowers, Fourth Edition, November 2020 (‘Procurement Regulations’), setting forth the World Bank’s policy on conflict of interest. 

To obtain the maximum degree of comparison among Expressions of Interests (EOIs) and facilitate the evaluation process, the EOI should be a maximum of 30 pages and include the following information included below:

• Title page with name of firm submitting the EOI: should contain name of firm (or joint venture and/or a sub-consultancy, if applicable), address, email, telephone, name of contact person and date of submission.
• Expression of Interest: including the firm’s general and specific experience, pool of experts etc.

Consultants may associate with other firms to enhance their qualifications, but should indicate clearly whether the association is in the form of a joint venture and/or a sub-consultancy. In the case of a joint venture, all the partners in the joint venture shall be jointly and severally liable for the entire contract, if selected.

A Consultant will be selected in accordance with the Consultants’ Qualification selection method set out in the Procurement Regulations.

Further information can be obtained at the address below during office hours 08:30 a.m. – 4:00 p.m. (0830 to 1600 hours).

Ms. Jenna Flavien
Procurement Officer
Caribbean Digital Transformation Project
OECS Commission
Morne Fortuné
P.O. Box 1383
Castries
Saint Lucia
Telephone: 758-455-6424/285-1980
Email: procurementbids@oecs.int   

Copied to:
Mr. Imran Williams, imran.williams@oecs.int    

An electronic copy of Expressions of Interest are to reach the OECS Commission by April 17, 2023 addressed to:

Ms. Jenna Flavien, Procurement Officer
At the following email address:
procurementbids@oecs.int
copied to imran.williams@oecs.int

The email submissions should include the name and address of the Consultant and shall be clearly marked in the subject line as “Expression of Interest – “Consulting Services to Develop a Computer Incident Response Team (CIRT) Establishment Plan”.

Caribbean Digital Transformation Project

IDA – D6520

Scope of Services

Terms of Reference

Consulting Services to Develop a Computer Incident Response Team (CIRT) Establishment Plan

March 2023

1.     BACKGROUND

The OECS Commission and the Governments of Grenada, Dominica, Saint Lucia, and St. Vincent and the Grenadines are implementing a digital transformation project, financed by the World Bank Group. The Caribbean Digital Transformation Project (called “project” going forth) comprises four components that address key bottlenecks and harness opportunities to develop the Eastern Caribbean Digital Economy as a driver of growth, job creation and improved service delivery. It aims to ensure that every individual and business within the region is empowered with the access to broadband, digital financial services and skills needed to actively participate in an increasingly digital marketplace and society. It leverages public sector modernization and digitization to improve service delivery and to drive creation of a digital culture across the region. To support the improved management of digital risks, the project will bolster cybersecurity policy, capacity, and planning tools in the region. It will facilitate technology adoption to improve productivity of flagship industries and create demand for digitally enabled jobs. It aims to foster regional integration and cooperation to capture the economies of scale and scope required to increase impact and value for money of the project interventions and to create a more competitive, seamless regional digital market to attract investment and provide room for growth of digital firms.

Component 1. 3 of the project focuses on Cybersecurity, Data Protection and Privacy:  Legal and Regulatory Environment, Institutions and Capacity. This sub-component, under the technical leadership of the Caribbean Community Implementing Agency for Crime and Security (IMPACS), aims to build trust in online transactions and strengthen the security and resilience of digital infrastructure and systems. It will promote cybersecurity awareness and capacity building as well as create an enabling environment and institutions needed to protect the public and private sector from cyber vulnerabilities.

Sub-component 1.3, specifically 1.3.a-c, under the technical leadership of the Caribbean Community Implementing Agency for Crime and Security (IMPACS), will rely on a combination of regional and national level approaches to share knowledge, and resources and respond to shared risks.

These shared risks manifest in the evolving cybercrime and cybersecurity breaches which continue to be a national, regional and global issue. Cybersecurity risks  have been further exacerbated with the advent of the COVID-19 pandemic. While there is limited data on the real economic losses of illicit activities or unsafe practices in cyberspace in the Caribbean, general estimates reveal that these losses are in the region of USD millions of dollars annually. The COVID-19 pandemic has also further emphasised that no individual, sector or industry is immune. The global data highlight that individuals of varying ages and key sectors such as the financial, health and energy sectors have been significantly impacted by security breaches and cybercrime over the last few years. Despite these growing risks, the recent ITU Global Cybersecurity Index notes that Caribbean countries' commitment to cybersecurity is relatively low[1]. These and other factors have therefore resulted in the region becoming increasingly susceptible to illicit activities and threats in cyberspace with limited ability to detect, prevent, investigate, and respond to these security events. The ability to effectively prosecute, and enforce the existing laws is also a challenge. This dilemma has been largely attributed to the region’s resource constraints and limitations, namely financial, legislative, technical or skilled personnel. 

A critical area in which to improve technical capabilities and response mechanisms is through the establishment and operation of a national CIRT. A CIRT may also be referred to as a computer security incident response team (CSIRT), Security incident response team (SIRT) to name a few. Regardless of the nomenclature, these structures  provide a vital function to countries through the protection of national assets, including critical infrastructure and help to foster a national culture of cybersecurity including building awareness and resilience. A scan of the region revealed that only a few countries have a national CIRT, such as Barbados, Guyana, Jamaica and Trinidad and Tobago. Notably, no such formal structure exists in the beneficiary countries. This alarming state of affair, heighten the security risks to the citizens and their fundamental human rights while hampering economic development and the ability to fully harness the benefits of a digital economy.

Current good practice dictates that there are several critical steps and processes involved in establishing a national CIRT. Some of these steps include:

• Assessing readiness. This involves determining the state of readiness of the country to implement a CIRT combined with activities towards building stakeholder engagement and cooperation;
• Designing the structure of the CIRT. This activity includes preparing the detailed design of the CIRT to facilitate operations;
• Implementing the CIRT. This step contemplates building the institutional and technical infrastructure taking into account governance mechanisms, processes, services, staffing and other resource considerations to advance the vision, mission and functions of the CIRT;
• Operating the CIRT. This involves the ongoing delivery of the planned services of the CIRT.

These principles serve as an important guide in setting the expectations for the identification of a suitable consultant to undertake the necessary project work for developing a CIRT establishment plan implementable in  each of the beneficiary countries.

2.     OBJECTIVE AND SCOPE

Objective

Within the objectives of the project, the Organization of Eastern Caribbean States (OECS) Commission intends to engage a firm (the “Consultant”) to develop a Computer Incident Response Team establishment plan (the “Plan”) for the use of its members, specifically Grenada, Dominica, Saint Lucia, and Saint Vincent and the Grenadines (“beneficiary countries”). The Plan will reflect the common needs, requirements, and objectives of the beneficiary countries and will detail the services a national CIRT in the region should provide, its governance and organizational structure, its constituency, and necessary resources. The Plan should also include a step-by-step roadmap for establishing a national CIRT.

The Consultant will incorporate widely accepted good practices to enable national CIRTs established through the Plan to participate in international cooperation initiatives and fora (e.g., Forum of Incident Response and Security Teams - FIRST). To reach this objective, the OECS Commission seeks a firm with a strong track-record in establishing CIRTs, particularly in developing countries.

Scope of Work

The deliverables are for establishing of CIRTs in the beneficiary countries. The deliverables may also be used by other members of the OECS if appropriate. The Consultant is expected to perform the following tasks:

1. Desk Research: The Consultant will conduct studies and analysis of the beneficiary countries’ current incident response capabilities as well as the broader cybersecurity readiness. This task includes the preparation of a list of relevant stakeholders to be interviewed during the consultation workshops.
2. Consultation workshops with relevant national and regional stakeholders: the Consultant will hold a series of interactions and discussions with relevant stakeholders to assess the level of readiness for creating a national CIRT. In this activity the Consultant will conduct interviews, ask about the needs, and discuss existing gaps and possible remediation. This task will inform task 3 and 4.
3. Draft Readiness Assessment Report: The Consultant will prepare a report based on the information collected in Tasks 1 and 2. The report will provide an overview of the existing incident response capabilities in the beneficiary countries, outline preliminary requirements (e.g., mandate, governance, high-level roadmap, budget) for the CIRT establishment plan, and provide insights into the broader cybersecurity context.
4. Draft CIRT Establishment Plan: The Consultant will develop a comprehensive plan that defines the services, target audience, necessary resources, and other relevant elements for establishing a national CIRT in the beneficiary countries. The Consultant will also provide a step-by-step roadmap for implementing the plan.
5. Reporting to Project Manager: The Consultant will report regularly to the project manager and provide Status Update Reports, presentations, and other forms of communication as required.
6. Other Applicable Tasks: The Consultant will carry out any additional tasks requested by the project manager within the scope of this ToR.

Conformity with internationally recognized standards and good practices

All the activities and deliverables mentioned in this ToR shall be completed in conformity with the main internationally recognized standards and good practices. Annex B reports an indicative list of resources

3.     DELIVERABLES

List of deliverables

The Consultant is expected to produce the following four (4) deliverables:

• Deliverable 1: inception report including work plan and schedule
• Deliverable 2: consultation workshop with national and regional stakeholders (up to 5 days). OECS will support the organization of the workshops. The list of national and regional stakeholders that will participate in the workshop will be agreed with OECS and beneficiary countries. Annex A provides a list and a rationale of stakeholders that should be considered
• Deliverable 3: readiness assessment report. This report shall include the following elements:
  • Brief review of existing incident response capabilities
  • Preliminary Mandate
  • Governance Structure
  • Requirement for CIRT hosting organization
  • High-level roadmap and budget
  • High-level requirements for the Design Stage
• Deliverable 4: CIRT establishment plan. The Plan shall include the following:
  • Detailed Mandate
  • CIRT Services Plan
  • CIRT Processes and Workflows Plan
  • CIRT Organisation, Skills and Training Structure Plan
  • CIRT Facilities Plan
  • CIRT Technologies and Processes Automation Plan
  • CIRT Cooperation Plan
  • CIRT IT and Information Security Management Plan
  • Detailed roadmap and Requirements for the Implementation Stage

Format of deliverables

Deliverables 1, 3, 4 will be delivered in the form of documents (e.g., Excel, Word, PowerPoint; etc.). Deliverable 2 will be delivered in the form of up to 5 days of on-site or virtual workshop.

4.     ASSIGNMENT DURATION, DELIVERABLES AND PAYMENT SCHEDULE

The estimated duration of this assignment is forty (40) weeks over a period of one (1) year. The completion of deliverables should follow the timeframe outlined below:

5. ASSUMPTIONS

• The Consultant will not perform any intrusive or technical assessment at a client site.
• The deliverables procured through this engagement are advisory in nature.
• The OECS Commission and beneficiary countries will provide the Consultant with relevant documents such as policy, strategies, risk assessments, and other relevant data and information that could help the Consultant deliver the expected outcomes. The OECS Commission and beneficiary countries will make subject matter experts available for interviews and information gathering
• The Project Manager, in collaboration with beneficiary countries, will provide help to identify the list of stakeholders and preparatory documentation for interviews in a timely manner.
• The OECS Commission will have three (3) weeks to review and provide feedback for each deliverable.
• The OECS Commission will be responsible for all management decisions relating to the engagement and resulting deliverables, for determining whether the deliverables are appropriate for their purposes.
• The OECS Commisson will own the intellectual property rights of the deliverables created through this engagement.

6.     CONSULTANT REQUIREMENTS AND QUALIFICATIONS

Requirements and Qualification of Consultant

The selected Consulting Firm should have international repute and a strong and demonstrated track record in cybersecurity and cybercrime frameworks.  The Consulting Firm must be able to perform all tasks specified in the TOR and have the relevant experience outlined below:

• At least 7 years of experience in cybersecurity, specifically incident response, cyber threat intelligence , digital forensics
• At least 3 project references in the past 5 years of assessing, establishing/enhancement of national/sectorial CIRT/CSIRT/SOC. Reference letters signed by the customer must be provided with the proposal
• At least five years of experience with:
  • Integrating and customization of CSIRT/CERT/CIRT/SOC Tools
  • Developing policies and procedures related to CSIRT/CERT/CIRT/SOC operations (operational workflows, SOPs, incident management processes, service level management frameworks, among others)
  • Setting up Cybersecurity Operation center tools; configuring honeypots and integrate external feeds, setting up digital forensic solutions
• Previous projects in the region are an asset

Qualifications of the Consultant’s team

The Consultant’s team should be composed of at least the following members:

Team Leader

• University Bachelor’s or Master’s degree in computer science, IT, engineering or related field;
• At least seven (7) years of experience in Cybersecurity program or project management experience specifically incident response, cyberthreat intelligence and digital forensic.
• Proven experience in managing and implementing CIRT/CERT/CSIRT/SOC related projects in developing countries would be an advantage

• Relevant certifications such as CISSP, CISM, or GCIH and internationally recognized SOC auditor certification
• Fluency in English

Project Team Members

• At least five years of experience in cybersecurity specifically incident response, cyberthreat intelligence and digital forensic.
• Proven work experience in implementing CIRT/CERT/CSIRT/SOC related projects in developing countries would be an advantage.
• Relevant certifications such as CISSP, CISM, or GCIH and internationally recognized SOC auditor certification
• At least one project team member should be certified EnCase Certified Examiner (EnCE) and/or EnCase Certified eDiscovery Practitioner (EnCEP)
• At least one project team member should be certified Cellebrite Certified Mobile Examiner (CCME)
• Fluency in English

ANNEX A – Sample list of potential stakeholders to be included in consultation workshops

• relevant ministry representatives;
• policy makers (parliamentarians);
• judiciary system;
• regulatory bodies;
• national security agencies;
• military establishment (or those currently responsible for information security and/or IT and ICT management);
• law enforcement agencies;
• critical infrastructure providers (water, energy, transport, etc.);
• central monetary agency and banks (most relevant public and commercial);
• telecommunication operators and Internet service providers;
• academia and national research bodies;
• local industry (private sector) involved in security initiatives

ANNEX B - Recognized good practices for establishing CIRTs

• Carnegie Mellon University, 2016, Create a CSIRT, Software Engineering Institute, Pittsburgh, PA. Cowley, C. and Pescatore, J., 2019, Common and best practices for security operations centers: Results of the 2019 SOC survey, SANS Institute. ENISA, 2006, A step-by-step approach on how to set up a CSIRT. (https://www.enisa.europa.eu/publications/csirt-setting-up-guide )
• FIRST, 2019, Computer Security Incident Response Team (CSIRT) Services Framework (https://www.first.org/standards/frameworks/csirts/csirt_services_framework_v2.1 ).
• IETF Internet Engineering Task Force, 1998, RFC 2350 for CSIRT establishments. (https://tools.ietf.org/html/rfc2350 )
• Internet Governance Forum, 2014, Best practice forum on establishing and supporting computer security incident response teams (CSIRTs) for internet security (https://www.intgovforum.org/multilingual/content/establishing-and-supporting-computer-incident-security-response-teams-csirts-for-internet ).
• MITRE, 2014, Ten strategies of a world-class cybersecurity operations center, MITRE, Bedford, MA.
• Morgus, R., Skierka, I., Hohmann, M. and Maurer, T., 2015, National CSIRTs and their role in computer security incident response, New America and GPPi. (https://www.researchgate.net/publication/323358191_National_CSIRTs_and_Their_Role_in_Computer_Security_Incident_Response )
• National Cyber Security Centre, 2015, CSIRT Maturity Kit, National Cyber Security Centre, the Hague.
• National Cyber Security Centre, 2017, Building a SOC: Start Small, National Cybersecurity Centre, the Hague.
• Organization of American States, 2016, Best Practices for Establishing a National CSIRT, OAS, Washington, D.C.
• Open CSIRT Foundation, 2008-2019, SIM3: Security Incident Management Maturity Model. (https://opencsirt.org/csirt-maturity/sim3-and-references/)
• Skierka, I., Morgus, R., Hohmann, M. and Maurer, T., 2015, CSIRT Basics for Policy-makers, New America and GPPi. (https://www.researchgate.net/publication/323358187_CSIRT_Basics_for_Policy-Makers )
• Telecommunications Development Sector (ITU-D), 2020, ITU CIRT framework, International Telecommunication Union, Geneva.
• ThaiCERT, 2017, Establishing a CSIRT, Thailand Computer Emergency Response Team, Bangkok.
• TNO, 2017, GFCE global good practices: National computer security incident response teams (CSIRTs). (https://thegfce.org/wp-content/uploads/2020/06/NationalComputerSecurityIncidentResponseTeamsCSIRTs-1.pdf )

Tender Dossier / Supporting Documents

Ask a Question