Vous êtes sur la page 1sur 4
African Reinsurance Corporation Société Africaine de Réassurance 28 t h July 2015 REQUEST FOR PROPOSAL

African Reinsurance Corporation Société Africaine de Réassurance

Reinsurance Corporation Société Africaine de Réassurance 28 t h July 2015 REQUEST FOR PROPOSAL – ICT

28 th July 2015

REQUEST FOR PROPOSAL ICT AUDIT

BACKGROUND

African Reinsurance Corporation (Africa Re) was established in 1976 by 36 member States of the African Union and the African Development Bank Group (AfDB). It is the leading reinsurance company in Africa and the Middle East with diplomatic status in its current 41 African member countries. Its shareholding is split between African (75%) and Non-African (25%) investors. African shareholding comprises 41 African states, the AfDB and more than 100 African insurance/reinsurance companies from the 41 member countries. Non-African shareholding is made up of PROPARCO (subsidiary of the AFD, France), IRB Brasil Re (leading Brazilian reinsurer), AXA (leading global French insurer) and FAIRFAX (Canadian group of insurance and reinsurance companies across the globe).

At a time when information and technology are integral to every aspect of business, the need to extract more value from IT investments and manage an increasing array of IT-related risks has never been greater. Increasing regulation is also driving heightened awareness amongst boards of directors of the importance of a well-controlled IT environment and of the need to comply with legal, regulatory and contractual obligations. In response to these needs, Africa Re is seeking the services of a consulting firm to undertake a comprehensive ICT audit of its IT systems and infrastructure. The detailed terms of reference are provided below.

TERMS OF REFERENCE

Africa Re has invested in a IT infrastructure upgrade which, upon completion, will see the corporation have a primary data centre in Lagos, Nigeria and a redundancy/recovery site in Casablanca, Morocco. Both of these sites are hosted by 3 rd parties. All the six regional offices of Africa Re and two subsidiaries will connect to the primary data centre for daily business operation and to the recovery site via dedicated VPN links in case of a disaster . All the core business applications will be implemented at the Primary site and automatically replicated at the Recovery sites with the data mirrored on a continuous basis. The regional office locations and subsidiary locations will however maintain network insfrastructure and communication systems to enable them connect with either of the primary or recovery data centres. The corporation has also outsourced the hosting of its email system and website to 2 different offshore companies, each with their own redundancy sites.

T

+234-1-461 6820/461 6828/280 0924/280 0925

Plot 1679, Karimu Kotun St.

F

+ 234-1-280 0074

Victoria Island,

W

www.africa-re.com E info@africa-re.com

P.M.B.12765, Lagos, Nigeria

The consultant is expected to review the entire IT system infrastructure and operations at the primary site, the recovery site and selected regional office locations and assess its robustness in meeting anticipated objectives. The consultant will be required to adhere to the terms of reference stated below and where necessary expand the scope. The specific tasks the consultant is expected to carry out include:

The ICT Audit at these locations shall include, but not be limited, to the following:-

1)

IT Governance Audit

a) Alignment of IT and business strategy

b) Delivery of IT services in line with business requirements

c) Long term and short term IT strategies

d) Review of IT Budgets for the last three years

e) IT training schedules

f) Assessment of IT Steering Committee activities

g) IT skills assessment

2)

Operating System (OS) for applications, databases and network equipment Review

a) Logical access controls

b) User access management & security

c) Set up and maintenance of system parameters

d) Patch and update management

e) Benchmarking of security configuration

f) Network access control

g) Intrusion prevention & detection systems

3)

Applications and databases security review

a) Logical access controls

b) User access management & security

c) Set up and maintenance of system parameters

d) Patch and Update Management

e) Benchmarking of security configuration

4)

Review of IT Processes and operations

a) IT asset management (acquisition and disposal of IT equipment)

b) Help Desk

c) Information systems acquisition, development and maintenance

d) IT incident management

e) Network performance management

f) Backup & media management

g) Enterprise antivirus management

h) Vendor selection

i) Third party service delivery management

5)

Security Management

a) IT security policies alignment with ISO27001:2013

b) Information security roles and responsibilities

c) Vulnerability management practices

d) Applications security configurations & management

e) LAN and Wireless LAN security

f) Mobile computing security review

g) Physical security review

h) Security training and awareness

6)

IT continuity audit

a) BCM/DRP plans and their testing

b) DRP sites and locations

c) Communication and awareness of BCM/DRP

7)

Review the existing policy documents of the corporation such as IT Policy, IT Standard Operating Procedures, IT Security Policy etc., and suggest required changes.

The audit exercise is anticipated to take place during the month of October 2015, a time when the ongoing system upgrade is expected to have been completed.

DELIVERABLES

The prime deliverable is a comprehensive ICT Audit Report that includes the following at the minimum:

Executive Summary

Strong points identified

Weaknesses Identified

Conclusions

Recommendations for improvement

Action plan to guide the implementation of the recommendations

PROJECT MILESTONES

Inception Report: The consultant will submit an inception report within 7 days after commencement and after consultations with key stakeholders.

Draft Report to be submitted midway through the project. The draft report should have detailed analysis of the project status, a proposed plan for presentation, discussion and adoption of the recommendations.

Final Report to be submitted 1 week after receiving comments from the corporation.

CLARIFICATION AND AMENDMENT OF REQUEST FOR PROPOSAL

Consultants may request for clarification only up to 7 days before proposal submission date. Any request for clarification must be sent in writing by paper mail, facsimile or email to the corporation address indicated below. The corporation will respond by paper mail, facsimile or email to such requests and will send written copies of the response (including an explanation of the query but without identifying the source of the inquiry) to all invited consultants who intend to submit proposals.

At any time before the submission of proposals, the corporation may for any reason, whether at its own initiative or in response to a clarification requested by an invited firm, amend the Request for Proposal. Any amendment shall be issued in writing through addenda. Addenda shall be sent by paper mail,

facsimile or email to all invited consultants and will be binding on them. The corporation may at its discretion extend the deadline for the submission of proposals.

PROPOSAL PREPARATION

Invited consulting firms should submit written proposals that include the following details:

a) Company’s Identification Number

b) A brief description of the firm’s organization and an outline of recent experience on assignments of similar nature. For each assignment, the outline should indicate inter alia, the profiles of the proposed staff, duration of the assignment, contract amount and the firm’s involvement.

c) Any comments or suggestions on the terms of reference, a list of services and facilities to be provided by the corporation

d) A description of the methodology and workplan for performing the assignment

e) A list of the proposed staff team by specialty, the tasks that would be assigned to each staff team member and their timing

f) CVs for proposed professional staff. Key information should include professional qualifications, number of years working for the firm and degree of responsibility held in various assignments during the last 5 years

g) Estimates of the total staff input needed to carry out the assignment

h) Activity (work) schedule

i) Proposed fees (broken down by activity)

PROPOSAL SUBMISSION

The original proposal shall be prepared in indelible ink. It shall contain no interlineations or overwriting, except as necessary to correct errors made by the Consultants themselves. Any such corrections must be initialed by the person authorized to sign the proposals.

The Proposals must be delivered to the submission address indicated below and received by Africa Re no later than 25 th August 2015, or any extension to this date as the case may be. Any proposal received by the Africa Re after the deadline for submission shall be rejected.

Submission Address:

The Tender Committee African Reinsurance Corporation Plot 1679 Karimu Kotun Street Victoria Island PMB 12765 Lagos, Nigeria

Telephone: (+234-1) 461 6820/461 6828/280 0924/280 0925 Fax: (+234-1) 280 0074 Email: tender@africa-re.com

Yours Sincerely

Ken Aghoghovbia Deputy Managing Director/COO