1. The Contractor shall designate an Information-Technology Security Manager (ITSM) and/or Information-Technology Security Officer (ITSO) to perform the scope of work as follows:
a. Conduct IT Security Risk Assessment together with the Board to identify the security threats to the System, assess the risk and propose measures for approval of the Board to mitigate the risk;
b. Provision of IT security risk assessment report, which will be used as input to security design / architecture of the System delivered by the Contractor;
c. Coordinate incident handling;
d. Coordinate security audits and testing;
e. Consolidate security testing (e.g. vulnerability scanning, penetration testing results) and ensure remediation of all findings;
f. Maintain all the security documentation (including policies, standards and procedures); and
g. Overall responsible for IT security of the System, in accordance with the security requirements specified in this section of the Tender.
1. The ITSM shall possess relevant security competencies required for this Contract. At a minimum, the independent ITSM possess the following:
a. A minimum of THREE (3) years work experience in IT Security field involving enterprise systems / network / cloud infrastructure;
h. A current professional information security certification (such as CISSP, CISM, CRISC, CGEIT, GSE) or equivalent;
i. Comprehensive knowledge and experience in IT security management and governance, IT security risk assessment and management, IT security incident response and management, vulnerability assessments, IT security audit, penetration testing and other IT security tests, International standards and best practices for IT security such as those published by ISO/IEC, NIST, Center for Internet Security (CIS), etc, and technical expertise in proposed System;
j. Good interpersonal, presentation, written and communication skills;
k. Based locally; and
l. Contactable via mobile phone on a 24x7 basis.
