Request for Proposals IT Security Specialist

Proposals should be shared (in PDF form) with security@persistent.energy before May 31st 2023. 

Introduction
Persistent, together with EEGF are looking for an IT Security Specialist to provide the services of a Consultant on a project-basis. The Consultant should have over 10 years’ experience in the field and progressive industry and at least 5 years in day-to-day cyber security advisory. The project is expected to start no later than June and to be completed within 1 month after starting date.

With more businesses increasing their use of automation, cyber criminals are more sophisticated than ever. Persistent, and EEGF, working together with last mile distribution software providers Upya and Solaris Offgrid (PaygOps), is therefore investigating cyber security in emerging markets. We want to increase awareness and develop better, relevant, and concrete tools to assess and assist companies to help them safeguard their operations and protect sensitive (consumer) data.

Across each of the deliverables, we would like the consultant to consider the CIA triad. Many of the companies we support work with large amounts of sensitive customer data of some of the most vulnerable global communities. We do not want these people to be exposed to information security risks because of the work we do. We believe the CIA triad to be an effective framework to assess and improve information security systems around its three core pillars:

Confidentiality – Is information properly stored so it can only be accessed by authorized staff, i.e. is the privacy of the consumers and staff guaranteed?
Integrity – Ensure data is stored accurately and cannot be altered by unauthorized users, both intentionally and unintentionally.
Availability – Is data available when it is needed by authorized users?

Our focus in this research is African SMEs operating in the energy access and climate space. Many of the companies we work with have, for SMEs, large client databases since they sell products on credit. They tend to have many remote sales staff (employed or on a commission basis). Staff and affiliates are on average relatively young and unaware of risks related to cyber security with a lot of the work happening through mobile devices. The IT function of the companies we support differs widely from companies. Some are without any dedicated IT staff and primarily using off-the-shelf SaaS solutions to companies with their own development teams and making in-house software and mobile applications to manage their business and/or their (potential) customer base. All to be developed materials should find a balance between in-depth technical relevance and ability to be used by non-IT staff.

As part of the wider research around this topic we have also circulated a survey to ask some of our partner companies and other relevant companies in the sector. Although the response was limited (with 13 responses to date) we intend to derive at least some relevant insights on specific topics relevant for our target audience. In addition, we have had interviews with the aforementioned leading software operators to understand better how they deal with IT security. To further the understanding of the African context, the consultant may be provided with the responses and/or our summary findings, solely for the purpose of this work.

Aside from the concrete tools and expertise we hope to gain with this exercise, we also intend to publish our findings and possibly organize a webinar in which we intend to recognise all participating parties and contributors.

About EEGF
The Energy Entrepreneurs Growth Fund (EEGF) is a unique fund created in 2019 by Shell Foundation and FMO to make a critical contribution to the access to the energy sector whilst addressing climate change. Managed by Triple Jump and advised by Persistent, EEGF provides tailored mezzanine, equity, and debt investments combined with technical assistance to early and growth-stage companies in the access to energy ecosystem in Sub-Saharan Africa.

About Persistent – Africa’s Climate Venture Builder
We believe in the power of climate-positive economic development in Africa. For the last decade, we have been working hand in hand with exceptional entrepreneurs, investing both financial and human capital to build successful climate ventures on the continent. Our companies offer competitive financial returns required to drive lasting impact.

Persistent does tech assessments and due diligence and provides IT support to partner companies. The assessments typically cover the full range of IT from strategy to implementation and on IT support we typically support data and integration projects as well business IT decision-making. With this RfP we intend to strengthen our own expertise and develop a number of relevant tools.

Consultant requirements and experience

• Consultants will be selected based on proven track record in the field of data security with active ongoing work in the field and progressive industry experience of over 10 years in IT and at least 5 years in day-to-day cyber security advisory. In other words, we would expect the expert to rely on existing knowledge without need for much additional/new research.
• Consultants are expected to have a relevant academic educational background and should list any relevant certifications and/or trainings in the field of cyber security (e.g. Certified Information Systems Security Professional (CISSP), or Certified Ethical Hacker (CEH)).
• The consultant may be representing a company or operate as a freelancer.
• Understanding of the African SME space is an advantage.

Topics and Deliverables
Below is an overview of topics and deliverables that we are looking to outsource to an IT security expert. Note that on any of these, we would expect to work closely together with the specialist.

For each of these, we are looking at developing pragmatic tools that are relatively easy to use and adopted by relevant companies. We would not want tools to be adopted for the sake of it, but they need to be genuinely implementable, maintained and checked/enforced. It’s one thing to put a policy in place, it’s a whole other challenge to ensure that policy is adopted and compliance is verified over time. We by no means aim for 100% compliance with relevant international standards (such as ISO/IEC 27001:2022), since this is simply not in question for the stage of the companies we work with. However, we rather lift the companies up from no or little focus on information security to at least some core/critical measures implemented and awareness raised.

1.      Overview state-of-affairs
Brief report including current security trends, common risks and easy-to-implement mitigation measures (especially relevant for the African SME context) as well as common frameworks and industry standards (such as CIA triad and ISO 27001/2 (2022 respectively). It should touch on all aspects of IT security. The piece should include credible and relevant sources and where applicable refer to relevant standards and/or regulations.

Deliverable: As the information would be re-used in various other formats, we would only need a simple formatted text (with relevant key graphs) of no more than 5 pages. 

2.     IT security check (self-assessment tool) 
We believe that it would be useful if companies can have a brief questionnaire which they can fill to give us a first insight into how far they are with their information security. It should not take companies more than 10 minutes to fill the survey. It can be assumed that someone with at least some technical expertise will answer the questions.

This survey would also act as a first step in creating awareness. The survey should touch on all key elements of IT security and should not require any support to be filled. The tool should provide feedback to Persistent on what areas might be relevant to assess further and show strengths and weaknesses of the company for the various areas in the survey. Although the tool in itself can be quite high level with regards to the types of questions, it should cover a wide range of topics. Relevant topics should be first selected and based on whether the area is selected it should present a number of questions relevant to that particular topic. There should be a scoring methodology that allows for a single score per category.

For simplicity’s sake, we are likely to share the questions with a company through for instance a Google Form and would then run the analysis and outcome separately in a Google Sheet. We would then present the findings back to the client. At this point, we do not intend to publish this as an online tool for anyone to fill and use but rather use it as a dedicated service to the companies we (intend to) work with.

Deliverable: A Spreadsheet with questions categorized per topic with answer options as well as a more detailed explanation of the question and interpretation. There should be a scoring methodology so each category can be rated independently.

3.      A data security checklist
In order to be able to execute a stronger Due Diligence (DD) with our portfolio companies, we would like a checklist of questions we should ask companies to verify where they stand in their IT security and per question a brief explanation and what the desired state is. Upon completion, it should give a comprehensive insight into the state of the information security at the company in question and give good insight into the risks the company is exposed to and thus the investor.

We may also use the questionnaire as a service to the company so feedback can be shared with the company to help create a starting point for further development, i.e. provide a list of tasks that can be worked on to achieve compliance.

This should be complementary to the IT security check mentioned under 2. This list of questions may be shared with companies though is more likely to be filled by Persistent staff during a DD or assessment. Questions should be discrete (yes/no or scale 1-5) and provide a description and guidance on how to rate any answer. We would also expect that questions are weighted for importance/severity, i.e. lack of compliance on one issue might not be the same as another issue.

Deliverable: A spreadsheet or table in word with a detailed list of questions, brief explanation/description of the question and a scoring methodology.

4.      Security Scan
As part of our research we intend to have one in-depth security scan performed with a selected company in the industry who is willing to provide us with a relevant case study. We would expect to be actively involved in the process to understand how such a scan is done and what the output looks like. Although we do not intend to develop our own in-depth data security scan, we are keen to understand the process and learn how to provide context when we do the checklist as indicated under section 3.

Deliverable: A detailed report showing findings as well as recommendations for improvement which will also be shared with the company in question.

5.      Company guidelines/policies
In order to quickly get companies on a path towards appropriate controls around information security, we are looking to have a document that can be easily deployed by companies to ensure key policies around IT are covered. It should cover key protective measures that really should be in place to minimize the risk of the company being affected by IT security threats that ensure confidentiality, integrity and accessibility of the data.

Given the prevalence of incidents and generally higher risks many companies are exposed to (due to poor coding practices and/or outdated hardware and software), Incidence Response should be specifically addressed.

We would imagine the foundation for this document would be taken from ISO 27001/2 2022 standards. Though we also want to make it clear that we are not aiming for 100% compliance with these standards/guidelines.It should put companies on a path towards future compliance and address the most relevant issues and most impact measures a company can take around data security. These should be pragmatic and relatively straightforward to adopt.

Deliverable: A document which is clearly broken down into various and clear sections stating relevant policies and measures that should be taken by the companies we work with.

6.      Review Staff training materials
Based on our current understanding of relevant common practices we are developing a training presentation for staff of the companies we work with on how to protect themselves and company assets. We would like the consultant to review the materials and make recommendations for adjustments and/or additions if/where needed.

The training deck is likely to be in presentation format (Google Slides) with practical, easily implementable content and should not exceed 20 slides.

Deliverable: Commented version of the training materials that will be shared with the consultant.

Terms and Conditions
In this section we provide an overview of relevant general terms and conditions related to the assignment:

Proposal Requirements

Each topic should be presented as a separate deliverable each including proposed deliverable, approach, expected cost and effort (in man-hours/days). Persistent will reserve the right to pick and choose depending on budget, overall timelines etc though the consultant is encouraged to present a “package deal”.

The overall proposal will be evaluated based on a number of criteria, including:

• suitability and relevant experience of the proposed consultant;
• examples of work previously done;
• quality of the proposal and
• proposed intervention;
• applicability of the proposed implementation to our target audience;
• timeline;
• and cost.

NB: Persistent retains the right to adjust criteria for selection based on incoming proposals and ongoing insights.

• With regards to timelines: Expected time frame for these deliverables is within 1 month after contract signing. Exact timelines for various deliverables may be negotiated subject to availability (see email address under Contact Information). We expect a timeline for the various deliverables as part of the proposal.
• With regards to Budget: As an impact investor in the social impact space Persistent works with tight budgets to deliver maximum impact.
• The proposal is expected to be delivered in PDF format.
• Expected annexes:
  – In case the bidding consultant represents a company, the company profile, including  relevant references.
  – Recent CV(s) of the proposed consultant(s).

Final Notes
In case anything is unclear or additional information is required to write a proposal, then we encourage the consultant to reach out and schedule a call to avoid unnecessary back and forth after submitting a proposal. See Contact Information for more details.

We expect the process to get to the deliverables to be interactive with at least 1 or 2 review rounds before sign-off.

Persistent is not aiming to develop a commercial data security service offering and is primarily doing this to the benefit of Persistent and EEGF partner companies and to strengthen our own assessment skills in the wider context of being able to do generic tech screenings. Although these are commercial activities in their own right, we do not intend to offer specialized IT security screenings and/or training.

As part of our work, we intend to publish an article relevant to the wider industry on this particular topic. Parts of this deliverable may therefore be used in an original or rewritten form, but not without recognizing the consultant as co-author.

Where relevant, we are open to recognizing the contributions in some of the materials and publications where that might be relevant for marketing purposes for the selected consultant. We cannot guarantee future referrals.

Subject to the proposal and further discussion, payments are likely to be made against deliverables and the contract will be subject to termination should the deliverables not be up to standard from what can be reasonably expected from a specialist in this field.

Contact information
Proposals should be shared (in PDF form) with security@persistent.energy before May 31st 2023. Proposals are reviewed on a rolling basis as they come in.