The African Reinsurance Corporation (Africa Re) is the leading African reinsurance company with headquarters in Lagos (Nigeria). Africa Re has six regional offices: Casablanca (Morocco), Abidjan (Côte d’Ivoire), Nairobi (Kenya), Lagos (Nigeria), Cairo (Egypt) and Ebene (Mauritius). The Corporation equally has two subsidiaries: African Reinsurance Corporation South Africa Ltd in Johannesburg (South Africa), Africa Retakaful in Cairo (Egypt) and Local Offices in Addis Ababa (Ethiopia) and Uganda (Kampala). Africa Re has a broad-based shareholding comprising 41 African member States, the African Development Bank (AfDB), 111 African insurance and reinsurance companies and three non-regional shareholders, including leading global insurers and reinsurers. The Financial Strength and Credit Rating of Africa Re is A by A.M. Best and A – by Standard & Poor’s.
As part of the Enterprise Risk Management (ERM) processes, Africa Re is soliciting proposals for security assessment or penetration testing of its newly provisioned public cloud infrastructure (datacenter) from competent information security organizations and professionals.
As part of its strategic objectives, Africa Re like most large and small companies, intends to leverage the cloud technology to modernize its information and communication technology (ICT) environment and enable the digital transformation required for business growth. For this purpose, the Corporation will be migrating its current on-premise datacenters to a public cloud datacenter in order to take advantage of the following benefits:
Cost reduction (economies of scale offered by the multi-tenancy model of the public cloud)
Scalability (flexibility to scale up/down in line with business demands and minimize the risks associated with in-house operational issues and maintenance).
Improve IT operational efficiency (tremendously reduce the IT team workloads).
Mobility (ubiquitous access to the IT services)
Disaster recovery (quick data recovery provided by Cloud-based services)
Competitive edge (access to world-class enterprise technology)
However, although leveraging Cloud technology provides the aforementioned benefits, Corporations and individuals are often concerned about how security and compliance integrity can be maintained in this new environment.
Consequently, the ongoing Penetration Testing (PT) initiative forms a critical part of the Corporation on-going cyber assessment programme for testing its cybersecurity defenses.
The purpose of this initiative is to conduct a comprehensive Penetration Testing on the external network of the public cloud infrastructure, to determine its exposure to a targeted attack. All security assessment activities shall be conducted in a manner which simulates a malicious actor engaged in a targeted attack against the Africa Re’s co-location infrastructure, with the goals of:
• Identifying security weaknesses and ascertaining that these weaknesses can be exploited by a remote attacker to circumvent the Corporation cloud infrastructure defenses.
• Determining the impact of a security breach of the Africa Re’s centralized information assets.
The statement of work that will be included in the contractual agreement with the selected Consultant, shall cover a Black-Box Testing penetration testing strategy in which the penetration tester will be placed in the role of the average hacker, with no internal knowledge of the target system.
Consequently, the assignment will depend on the tester’s ability to locate and exploit vulnerabilities in the target’s outward-facing services.
Efforts shall be placed on the identification and exploitation of security weaknesses that could allow a remote attacker to gain unauthorized access to corporate data. Amongst other things, the Consultant shall:
1. Comply with the public cloud datacenter customer support policy for penetration testing. The Consultant or vendor selected for this assignment will ensure that all activities performed are aligned with the policy set out by the Public Cloud Service Provider.
2. Assist or undertake on behalf of the Corporation, the preliminary clearance or accreditation processes prior to penetration testing exercise (private preview and Non-Disclosure Agreement).
3. Conduct a pre-engagement analysis to ensure appropriate scoping (attain approval from stakeholders in compliance with permitted services or exploits, the prohibited activities, etc.) before commencing the penetration testing exercise.
4. Perform an Intelligence Gathering which entails passive information gathering on the target infrastructure, according to the agreed scope.
5. Carry out a vulnerability analysis which would involve active reconnaissance utilizing methods such as configurations reviews, port and vulnerability scanning to identify vulnerabilities existing within the targeted infrastructure.
6. Attempt to exploit identified vulnerabilities to gain access to the system/application. The goal is to confirm the existence of the vulnerability and how exploitable it is.
7. Post exploitation and House Keeping - The pen tester shall confirm the removal of all backdoors, user accounts, scripts and executable files planted on the target environment in the course of the security assessment.
3.1. SECURITY ASSESSMENT REPORT
At the conclusion of the assessment, Africa Re requires written documentation of the approach, findings, and recommendations associated with this project. The final reports will be the master documents encompassing all the firms work and findings. Findings and recommended remediation(s) should be assigned a risk level. Penetration test findings should be evaluated using a risk based approached and presented in a fashion that identifies key risk to the overall organization. The documentation should consist of the following:
a) Management Summary - A summary of key threats and business risks in a high-level risk-based format suitable for non-technical Executive Management, with ‘at a glance’ Critical and High risks.
b) Technical Details - Easy to follow summary of the identified vulnerabilities, and summary remedial action, plus details of each identified vulnerability and the steps taken by the pen tester to breach the network/defenses.
c) Risk-scored Report - The report should include a vulnerability scoring system to rate discovered issues, based on severity and conform to a standardized scoring system, such as The Common Vulnerability Scoring System (CVSS) or Infrastructure Vulnerability Index (IVI).
d) Remediation & Next Actions - Details of the required remediation for each identified vulnerability, plus supplemental information and/or recommendations on any required security controls, process and policy improvements etc.
The delivery and the handover of Penetration Test report should be done in person via hard copy format or securely delivered through email. Penetration Test reports and results should only be communicated with the agreed points of contact.
3.2. MEETING & DEBRIEF SESSION
The Penetration Tester conducting the assessment should attend the meeting to explain the findings in detail, discuss recommendations and guidance on the steps necessary to remediate discovered vulnerabilities.
The bids submitted in response to this RFP will be evaluated and scored based on the following criteria:
Pen testing provider must be certified with security professionals (CREST/ ISO 27001/etc. certification) and ensuring adherence to industry-standard best-practice, as well as an enforceable Code of Conduct.
Technical approach and methodology.
Highly experienced – The Consultant must have extensive experience across large, complex organizations (Head Office and branches), with a pool of skilled Penetration Testers to match the required skillset for this assignment.
Project management experience and organizational staffing.
Proposed Cost.
Financial Information based on audited financial statements.
Success stories of the bidder on similar projects delivered previously.
Quality, clarity and presentation of proposal.
In order to facilitate the analysis of responses to this RFP, the responding vendors are required to prepare their proposals in accordance with the instructions outlined in this section. The firms/vendors whose proposals deviate from these instructions would be considered non-responsive and may be disqualified at the discretion of Africa Re.
Proposals should be clear and comprehensive. It should provide a straightforward, concise description of the vendor’s capabilities to meet the requirements of the RFP. Emphasis should be laid on accuracy, completeness and clarity of content. All parts, pages, figures and tables should be numbered and clearly labeled. The proposal should be organized into the following major sections:
SECTIONS TITLE
1.0 Executive summary
2.0 Company Experience / Expertise
3.0 Technical approach and methodology
4.0 Project Management plan & Organizational staffing
5.0 Cost quotations
6.0 Financial information
7.0 Resumes of key staff to be deployed
5.1 EXECUTIVE SUMMARY
This part of the response to the RFP should be limited to a brief narrative highlighting the vendor’s proposal. The summary should contain as little technical details as possible and should be oriented towards non-technical personnel. The Executive summary should not include cost quotations.
5.2 EXPERIENCE OF THE VENDOR
The vendor must provide the following information about their company so that Africa Re can evaluate their stability and ability to support the commitments set forth in response to the RFP. Africa Re may require the vendor to provide additional documentation to support and/or clarify requested information.
[Using the format below, provide information on each relevant assignment for which your organization, and each associate for this assignment, was legally contracted either individually, as a corporate entity or, as one of the major companies within an association, for carrying out projects similar to the ones requested under the Terms of Reference included in this document. The Proposal must demonstrate that the Vendor has a proven track record of successful experience in providing services similar in substance, complexity, value, duration, and volume of services sought in this procurement.]
Maximum 20 pages
Assignment name: Approximate value of the contract (in currency US$):
Country:
Location within country: Duration of assignment (months):
Name of client: Total No of staff-months of the assignment:
Address: Approximate value of the services provided by your firm under the contract (in currency US$):
Start date (month/year):
Completion date (month/year): No of professional staff-months provided by associated vendors:
Name of associated consultants, if any: Name of proposed senior professional staff of your firm involved and functions performed:
Narrative description of review engagement:
Description of actual services provided by your staff within the assignment:
Description of challenges encountered, and the strategy used to address and successfully close the project including time and resources:
Authorized Signatory:
Name of Vendor:
5.3 APPROACH AND METHODOLOGY
In this chapter, you should explain your understanding of the objectives of the assignment, approach to the services, methodology for carrying out the activities and obtaining the expected output and the degree of detail of such output. You should highlight the problems being addressed and their importance and explain the technical approach you would adopt to address them. You should also explain the methodologies you propose to adopt and highlight the compatibility of those methodologies with the proposed approach.
5.4 PROJECT MANAGEMENT PLAN & ORGANIZATIONAL STAFFING
In this chapter, you should propose the structure and composition of your team. You should list the main disciplines of the assignment, the key expert responsible, and proposed technical and functional staff.
5.5 COST QUOTATIONS
The proposal of the bidders should include detailed financial proposal.
5.6 FINANCIAL INFORMATION
The vendor’s financial information should be included in this section. Financial information must include audited financial information for the past three years if applicable.
5.7 RESUMES
The vendor must make every effort to select staff for the assignment based on Africa Re’s needs. Applicable resumes should be included in this section.
No.-- Requirement --Vendor Response
6.1 Company Information Requirements
a) How long has company been in business?
b) How long has the company been in business providing the proposed Security assessment services for complex implementation projects?
c) State number of employees in the company.
b) State total number of employees dedicated to this assignment.
The vendor may request for clarification either through e-mail or in person (site visit) only up to 3 days before proposal submission date. Any request for clarification must be sent in writing by letter or email to the Africa Re’s address indicated below. Africa Re will respond by letter or email to such requests and will send written copies of the response (including an explanation of the query but without identifying the source of the inquiry) to all firms which intend to submit proposals.
Contact for clarification - Email: icttender@africa-re.com
The hard copy of the proposals, which must be in duplicate copies sealed in an envelope, must be delivered to the submission address indicated below and received by Africa Re not later than November 6, 2019.
Proposal can also be submitted through email to tender@africa-re.com. Any proposal received by Africa Re after the submission deadline shall not be considered.
Submission Address:
The Chairman of the Tenders Committee African Reinsurance Corporation
SECURITY ASSESSMENT ON PUBLIC CLOUD INFRASTRUCTURE
Plot 1679 Karimu Kotun Street
Victoria Island PMB 12765
Lagos, Nigeria
Email: tender@africa-re.com
For: African Reinsurance Corporation
Corneille KAREKEZI
Group Managing Director/Chief Executive Officer
