INFORMATION SECURITY & DIGITAL RISK ASSESSMENT AND MANAGEMENT (Firm/Consultant)

A. Project Activity Title

Information Security and Digital Risk Assessment and Management of APHR

B. Organizational Background

APHR is a regional network of current and former parliamentarians who use their unique positions to advance human rights and democracy in Southeast Asia. We seek to help create a region where people can express themselves without fear, live free from all forms of discrimination and violence, and where development takes place with human rights at the forefront.

Our members use their mandate to advocate for human rights inside and outside of parliaments, regionally and globally. They work closely with civil society, conduct fact-finding missions, and publish recommendations and opinions on the most important issues affecting the region.

APHR was born out of the recognition that human rights issues in Southeast Asia are interconnected, and from the desire of progressive legislators to work together across borders to promote and protect human rights.

Staff security is one of the biggest challenges facing non-governmental organizations and civil society organizations due to the growing insecurity, threats and violence faced by them when doing human rights work and advocacy.

As civil society actors including parliamentarians are increasingly facing threats and reprisals because of their work, it becomes more imperative that they adopt mitigating and preventive measures to safeguards their operations as well as the safety and security of their staff, members, and partners. Southeast Asia mirrors the global trend of an increased crackdown on civic space, with the rise of authoritarian regimes in countries where APHR operates and growing intolerance for dissent and criticism. As APHR also becomes more known and effective in its public advocacy, it also needs to assess the potential risk and threats that the context in which it works might have on its security and safety of its staff, Board and members, be prepared to mitigate these risks, and respond to them effectively.

C. Scope of Work

APHR is looking for a consultant or firm who will carry out Information Security and Digital Risk Assessment and Management that will allow APHR to operate and share information as safely and securely as possible.

The consultant/firm will look into APHR’s information and digital vulnerabilities such as (but not limited to):

1. Cybersecurity
2. Cloud technology
3. Data Security and Leaks
4. Data Privacy
5. Process Automation
6. Compliance and Resilience
7. Third Party Risk
8. Staff Awareness and Capacity

The consultant/firm is expected to deliver an Information Security Assessment Report and a Digital Security Audit Report. The expected work and deliverables to be conducted are:

a. Conduct tests and analysis including of APHR office online platforms and technical environments for sound architectures, correct configurations, and system-level vulnerabilities.

b. Develop Information Security policy guidelines and control & monitoring mechanisms based on the assessment findings;

c. Develop a Digital Security blueprint and strategy for achieving a high level of security program maturity on the following (but not limited to):

– Social Media Use

– Regulatory Compliance and Information Security Policy

– Processes and Procedures

– Technical Architectures and Configurations

– Vulnerability and Risk Management

– Security Controls and Continuous Monitoring

– Threat Detection and Incident Response

– Resources, Skills and Awareness Training

d. Provide awareness training for the Board and staff to share best practices in digital security and the findings of the information security risk assessment.

D. Expected Outputs and Proposed Activities

Expected Outputs/Proposed Activities

1. Inception Meeting and Report = 1st week

2. Conduct Vulnerability Tests and Analysis = 2nd-3rd week

3. Schedule Meetings with Board members and staff = 3rd- 4th week

4. Draft and present Information Security Report and Digital Risk Assessment Report findings = 5th-6th week

5. Finalize Information Security Report and Digital Risk Assessment Report based on additional comments from APHR = 7th-8th week

6. Draft and finalize Information Security Management Policy and Digital Security Blueprint = 8th-9th week

7. Security awareness trainings for Board and Staff = 10th week

E. Duration of the Work

Duration of the consultancy will be for two and half (2.5) months from 15 July to 30 September 2022.

F. Duty Station

The selected consultants/firm will be working remotely/online. No travel to the region is required.

G. Qualifications of the Successful Individual Contractor/Team/Firm

The successful candidate/firm will have the following qualifications:

• Bachelor’s degree on information management or related courses;
• At least 7 years of industry experience in the information management and digital security domain focused on NGOs and human rights organizations;
• Have at least 2 similar completed projects or consultancies with NGOs in high risk or volatile situations;
• Excellent qualifications in cyber security, penetration testing and familiarity with industry best practice frameworks;
• Certified professional developer, Java, PHP, MySQL, Oracle, PostgreSQL and other Opensource Technologies;
• Certified professional Networking virtualization storage, cloud technologies;
• Familiarity of human rights issues, threats and vulnerabilities faced by human rights organizations in Southeast Asia region;
• Excellent skills in facilitating training on information and digital security to NGOs;
• Strong communication and written skills, demonstrated ability of making effective presentations to diverse audiences.