Pages

ICT Security Consultant, New York

ICT SECURITY CONSULTANT
Location :
New York City, UNITED STATES OF AMERICA
Application Deadline :
18-Sep-13
Type of Contract :
Individual Contract
Post Level :
International Consultant
Languages Required :
English  
Starting Date :
(date when the selected candidate is expected to start)
01-Oct-2013
Duration of Initial Contract :
6 Months
Expected Duration of Assignment :
6 Months
Background
OIST is the Information Technology division formed within United Nations Development Programme to provide leadership and services in the areas of program technology support and network and telecommunications services. OIST is a service-oriented organization that prides itself on delivering high quality, cost-effective IT services.
The UNDP ICT Security Unit delivers security framework, ICT governance, IT usage policies and disaster recovery planning services to the organization. It is the only organization in the United Nations system to be both ISO 9001 and ISO 27001 certified.
As part of the ISO 27001 implementation, OIST is required to implement and maintain a process of controlling technical vulnerabilities (ISO 27001 Control 12.6.1). In the current arrangement, the results of previous vulnerability assessments (discovered weaknesses) are recorded in a simple SharePoint list. The tracking and reporting function allows only for capturing the one-to-one relation between vulnerability and host.

The current setup does not have efficient storage or modification functionalities, nor can complex searches be performed on interlinked information about vulnerabilities, for example it is not possible to find a specific vulnerability referring to all hosts, or all available vulnerabilities for one specific host. 

Populating and maintaining this repository, as well as using it to produce graphical and numerical statistics, is a labor-intensive process. Moreover, it lacks work-flow, it has no notification capabilities, or automated batch import/export of data.
Duties and Responsibilities
Summary of Key Functions

Under the direct supervision of the Chief Information Security Officer (CISO), the incumbent will be responsible for performing the following:
Developing a user-friendly SharePoint-based web application to manage the vulnerability lifecycle. More specifically, the application should allow for:
  • More flexibility, in that multiple, and different types of vulnerabilities can be assigned to the same host, or vice versa;
  • Prioritization of the various types of vulnerabilities;
  • Efficient management of the work-flow;
  • Automated data population of the database;
  • Automated notification function;
  • Progress tracking;
  • A user-friendly, automated statistics reporting function;
  • Automated import/export of data.
Designing, setting up and maintaining an in-house vulnerability tracking system, which meets the initial technical requirements given below. Please note that these initial requirements may be clarified in more detail once the project has started, and may be adjusted along the way.
The initial technical requirements including the following but are not limited to:
    Storing the following vulnerability data (vuln)
      • Vulnerability ID - unique alpha-numerical value automatically generated based on a predefined pattern;
      • Short Vulnerability Outline - One-line text field with short description or name of the vuln;
      • Vulnerability Description - Generic text blob describing the vuln;
      • Recommended Mitigation- Generic text blob describing how to address the vuln;
      • Severity Rating - Value from a predefined (expandable) set of "High"/"Medium"/"Low";
      • Affected Hosts - List of hosts (showing IP, Hostname, Group, see item 2. below) linked with this particular Vulnerability ID;
      • Affected ISO Objective - List of items from a predefined set of ISO objectives/controls;
      • Vulnerability Group - Specific group this vuln belongs to from a set of predefined (expandable) groups.
        Store the following data about affected assets
          • Host ID - unique host name;
          • Host IP - Network address of the host;
          • Technical Owner - ICT personnel responsible for the host (Name, Email;
          • Business Owner - Manager responsible for the host (Name, Email;
          • Business Unit - Business unit owning the host;
          • Host Group / Area of Concern - Individual value from a predefined (expandable) set.
             Store the following data about assigned items (specific vuln for a specific host)
              • Item ID - unique alpha-numerical value automatically generated based on a predefined pattern;
              • Vulnerability ID Reference - Vuln ID, Outline and Severity Rating (See 1);
              • Host ID Reference - Host ID, IP and Owners (See 2);
              • Current Status - Value from a predefined (expandable) set of "Open"/"Pending"/"Closed - Accepted"/"Closed - Fixed";
              • Date Opened - Date when the item was opened;
              • Due Date - Date when the item is expected to be addressed;
              • Item Group - Individual value from a predefined (expandable) set;
              • Comments/Actions Taken - Historical recording of changes to the item (e.g. status changes) as well as free-text comments.
                Provide following editable data views
                  • All vulnerabilities grouped by Vulnerability Group, ISO Control or Severity Rating;
                  • All hosts grouped by Host Group, Owners or Business Unit;
                  • All items ordered by Vulnerability ID, Host ID, Current Status or Item Group;
                  • All items for a particular Owner.
                     Provide following statistics reports
                      • Graphical / Numerical stats on number of vulnerabilities by ISO Objective;
                      • Graphical / Numerical stats on number of vulnerabilities by Vulnerability Group;
                      • Graphical / Numerical stats on frequency of occurrence of specific Vuln IDs in issues (e.g. top-10 vulns);
                      • Graphical / Numerical stats on frequency of occurrence of specific Host IDs in issues (e.g. top-10 vulnerable hosts);
                      • Graphical / Numerical stats on frequency of occurrence of specific Business Units / Owners in issues.
                      • Graphical / Numerical stats on Status of issues grouped by Severity Rating of referenced vulns. (e.g. Open/Pending/Closed High/Medium/Low issues).
                         Provide following work-flow / notification / batch editing functionality
                          • Periodically notify Owners in a form of email digest about assigned issues (vulns+hosts) and their status;
                          • Notify Owners in a form of email digest about over-due issues;
                          • Does not allow Owners to change issue status to "Pending" without a Due date;
                          • Does not allow closure of an item by Owners without providing comments;
                          • Allow batch import / export of data based on a recognized format (e.g. CSV, XML, etc);
                          • Allow batch edit of data (e.g. closing multiple issues) for app admin.
                          Deliverables
                          • At the onset of the project; in close consultation with OIST and other stakeholders, a work plan will be developed with specific timeframes for deliverables and milestones;
                          • During the project; monthly progress reports, indicating the status of the deliverables, milestones accomplished and/or percentage completed, estimated remaining timeframe for completion, as well as any outstanding issues which might hamper successful conclusion;
                          • At the end of the project; two deliverables are expected: (a) A fully operational SharePoint-based web application that provides a vulnerability management system, which meets the technical requirements defined at the beginning of the project; and (b) Operational documentation on the above system, including but not limited to: (i) A User Manual for both end-users and administrators; (ii) A Trouble-Shooting Guide; and (iii) Other support requirements.
                          Travel and Working Arrangements
                          The incumbent is expected to be on site. There is no expected travel. 
                          On an exceptional basis, the CISO may allow the contractor to work away from the office, if the work entailed does not require their physical presence in the office (e.g. writing documentation, coding, etc.).
                          OIST shall provide the contractor with a desk and office equipment (e.g. workstation, phone, etc.) within the OIST premises.
                          UNDP will provide to the contractor access to the SharePoint development platform and the ISO standards to be followed in performing the work listed above.
                          Competencies
                          Core Competencies
                          • Displays cultural, gender, religion, race, nationality and age sensitivity and adaptability;
                          • Facilitates and encourages open communication in the team, communicating effectively;
                          • Remains calm, composed and patient when facing conflict, manages conflict productively, focusing on mutually acceptable solutions;
                          • Takes initiative and seeks opportunities to initiate action;
                          • Actively produces and disseminates new knowledge; creates/contributes to mechanisms to collect and share knowledge;
                          • Actively seeks learning opportunities; demonstrates commitment to ongoing professional development;
                          • Proposes innovative ideas and new solutions to work.
                          Functional Competencies
                          • Independent and driven, and able to self-manage;
                          • Flexible, adaptable, and comfortable working in a dynamic, multi-cultural environment;
                          • Ability to work directly with internal and external clients to define requirements for analysis and reporting (yes – they will be expected to create a database with reporting functionalities);
                          • Strong communications skills, both written and oral, are desired;
                          • Organized, responsive and thorough problem solver
                          Required Skills and Experience
                          Education
                          • A bachelor’s degree in Information Technology management or related field. Significant experience in the field may be substituted for education credentials.
                          Experience
                          • The applicant should have a minimum of 3+ years in Information Security with specific experience in Risk Management and implementing ISO standards;
                          • Solid knowledge of Information Security principles and practices, as evidenced by having an industry recognized security certification (e.g. CISSP, CISM or CISA), is a must;
                          • Experience in Risk Management, ISO 27001/ISO 27002, is mandatory;
                          • Experience with issue tracking and Project Management tools such as JIRA is a must;
                          • Experience working with Agile (Scrum) project team development environments is mandatory;
                          • Excellent knowledge of Microsoft Architectures, Microsoft Office SharePoint Server 2007 and SharePoint workflows is mandatory;
                          • Proven track record in Software Development for Microsoft Office SharePoint Server 2007, including .NET development to extend and augment the SharePoint platform, is a must;
                          • Strong knowledge of the .NET framework (C#) and associated technologies is an asset;
                          • Good understanding of MS SQL Server 2005/2008 fundamentals is preferred
                          • Preferred to have a record of working with International Organizations;
                          Language Requirements
                          • Fluency in oral and written English required;
                          • Working knowledge of another UN official language is an asset.
                          Application Procedure

                          Qualified and interested candidates are hereby requested to apply. The application package should contain the following:
                            Online Application
                              • Brief description of why the candidate considers her/himself the most suitable for the assignment.
                                Personal CV
                                  • Past experiences with similar projects;
                                  • At least 3 references, including telephone and email contact details.
                                    Shortlisted candidates will be asked to submit a Financial Proposal
                                      • All-inclusive, lump sum daily rate based on a 7.5-hour working day, supported by a breakdown of costs;
                                      • If the candidate is employed by an organization/company/institution, and he/she expects his/her employer to charge a management fee in the process of releasing him/her to UNDP under a Reimbursable Loan Agreement (RLA), the candidate must indicate at this point, and ensure that all such costs are duly incorporated in the Financial Proposal submitted to UNDP;
                                      • The Financial Proposal is to be emailed to cpu.bids@undp.org on or before the deadline given above, with the heading “Financial Proposal for ICT Security Consultancy".
                                      Evaluation

                                      Individual consultants will be evaluated based on cumulative analysis:
                                      When using this weighted scoring method, the award of the contract will be made to the individual consultant whose offer has been evaluated and determined as:
                                      • Being responsive/compliant/acceptable; and
                                      • Having received the highest score out of a pre-determined set of weighted technical and financial criteria specific to the solicitation;
                                      • Technical criteria weight; Interview Score (70%);
                                      • Financial criteria weight; Financial Proposal (30%).
                                      Only candidates obtaining a minimum of 70% (490 points) of the maximum obtainable points for the technical criteria (700 points) shall be considered for the financial evaluation.
                                      The evaluation criteria are broken down as follows:
                                      • Motivation - 10% or 100 points maximum;
                                      • Technical Knowledge - 20% or 200 points maximum;
                                      • Relevant Working Experience in the Required Areas - 40% or 400 points maximum;
                                      • Financial Offer - 30% or 300 points maximum.
                                      Applicants are shortlisted based on educational background and relevant working experience in the required areas. UNDP may choose to interview shortlisted candidates. Please note that only shortlisted candidates will be contacted.
                                      Payment Modalities
                                      • Payment to the Individual Consultant will be made once a month and upon certification of satisfactory completion by the CISO;
                                      • The Individual Consultant will be paid a daily wage depending on the rate negotiated with UNDP
                                      • The work week will be based on 37.5 hours, i.e. on a 7.5-hour working day, with core hours being between 9h00 and 18h00 daily;
                                      • Payments are to be made to the Individual Consultant based on the number of days worked and deliverables accepted.
                                      ------------------------------------------------------------------------------------------------------------------
                                      Any request for clarification must be sent by email to cpu.bids@undp.org 
                                      The UNDP Central Procurement Unit will respond by email and will send written copies of the response, including an explanation of the query without identifying the source of inquiry, to all consultants.
                                      Click here for important information for US Permanent Residents ('Green Card' holders).
                                      UNDP is committed to achieving workforce diversity in terms of gender, nationality and culture. Individuals from minority groups, indigenous groups and persons with disabilities are equally encouraged to apply. All applications will be treated with the strictest confidence.

                                      Popular Posts