Consultancy Services for the Implemention of the E-Business Security & Penetration Testing
Updated on 13th September 2011
EXPRESSION OF INTEREST NO 035 /S/RRA/2011-12
PROJECT TITLE: CONSULTANCY SERVICES FOR THE IMPLEMENTATION OF THE E-BUSINESS SECURITY & PENETRATION TESTING RECOMMENDATIONS IN E-TAX AND E-TAX QUALITY ASSURANCE SOFTWARE PER MODULE DELIVERED TO RRA. FINANCING: ICF CLIENT: RWANDA REVENUE AUTHORITY (RRA)
The Rwanda Revenue Authority (RRA) is looking for Consultants to PROVIDE CONSULTANCY SERVICES FOR THE IMPLEMENTATION OF THE E-BUSINESS SECURITY & PENETRATION TESTING RECOMMENDATIONS IN E-TAX AND E-TAX QUALITY ASSURANCE SOFTWARE PER MODULE DELIVERED TO RRA. Interested consultants who possess the required expertise are invited to submit their Expressions of Interest at Rwanda Revenue Authority situated at Kimihurura, P.O Box 3987 Kigali, Avenue du Lac Muhazi, Administration Office, 4th floor Tel: (252) 595596, 595595, Fax: (252) 578488, Email: email@example.com not later than 19/10/ 2011 at 10:00am and will be opened 30 minutes later (same day).Late proposals will be rejected
TERMS OF REFERENCES
Support to the Rwanda Revenue Authority (RRA) E*Business Security and Software Quality assurance Adviser
International donors have been heavily involved in the establishment and development of the Rwanda Revenue Authority since its creation in 1998. To date, these donors had provided Technical Assistance and Grant support focused on establishing the organization, improving RRA systems and procedures, developing capacity and supporting the RRA computerization strategy.
The modernization programme is being supported with a large-scale computerisation effort. An integrated tax software package (SIGTAS) has been implemented at RRA Kimihurura Head Quarter and deployed to 14 RRA District offices in Rwanda provinces. Within Customs UNCTAD software (ASYCUDA++) has been being deployed countrywide and Now Electronic Single windows and asycuda world implementation to start soon . SIGTAS being backoffice system for domestic taxes and post implementation has demonstrated the need to implement an online e-filing system and e-payment therefore RRA has contracted a software development company to development and deploy an ETAX software application to provide taxpayers with online filing and payment facilities. Other computerisation initiatives are the continued improvement of the Financial Management Information System (FMIS/SAGE), the implementation of a Human Resources and Payroll software package (PEODESY) and the deployment of a corporate EMAIL and IP Telephone System. All these systems can be accessed via a Voice & Data (IP) communication network that links 36 RRA offices throughout Rwanda.
Rwanda Revenue Authority (RRA) has undertaken a project to implement an e*Tax Internet Portal for online filing of tax returns, payment of taxes due, the production of assessment notices and the online payment of VAT, income taxes, Social security contributions, PAYE and all taxes by companies and Individuals in Rwanda.
Security is a critical concern for Taxpayers and for RRA. Establishing trust between all parties in an online transaction is vital for the success of e*Tax project. The public wants full assurance that the information they supply is going really and only to RRA, will not be misused by that organisation, and that the payment mechanisms are confidential and secure. RRA share these concerns but also demand that his systems be protected from fraudulent use, intrusion and tampering.
At the present stage in the course of the project, RRA wishes to validate that the solution security architecture and its control measures are adequately sound and meet internationally recognized security requirements.
RRA would like to engage an E*Business Security and software Quality assurance Expert for a short-term assignment to assist and supervising quality and security of RRA ongoing ETAX application deployment and its related supporting IT infrastructure and the new e*Tax Internet portal to offer Secure Web Services to Taxpayers. Objectives and main duties.
The consultant will review RRA’s new implementation of ETAX application being developed and also should ensure the quality assurance of the application. In addition to that the consultant should review the implemented ETAX application Network infrastructure and their securities are being implemented based on the recommendation by the ETAX security consultant.
The consultant should review the information security organisation and its management processes in general. It will cover the system technological design in general with a high level assessment of actual equipment configuration and installation. He will also assess the maturity of the new e*Tax Internet portal solutions identify potential recommendations to enhance the security of the system and mitigate observed risks. He should have prior knowledge of RRA ETAX business and its supporting Network environment and Application being installed.
The consultant should actively be involved in the ongoing implementation by supervising the process, follow-up with relevant vendor and support the implementation to make the process success and easily achievable.
The consultant should provide a team consist minimum 1to 2 members for testing the software quality assurance.
The consultant should co-ordinate and obtains quality assurance certification for the ETAX application from reputable certification bodies. The consultant should list the tools (Technologies) to be used and the different kinds of “Attack” (Penetration Testing) to be performed on e-tax software and RRA network in general.
When examining the Implementation the following factors must be considered:
•Whether the S/W implementation is as per the requirement?
•Whether the S/W delivers the expected quality?
•Whether the proposed architecture can support the month end rush condition or not?
•Whether the S/W can meet all the business case or not?
•Review the processes, records and communications need to be protected?
•What are the threats to these assets and what are the risks that the threats will occur?
•Given these needs, what are the potential strengths and limitations of available Internet security options?
•How will the security system interact with other applications currently in use? •What other equipment (hardware or software) will be needed to make it as secure as possible? •What type of training will employees need to ensure that the system functions properly?
Duration 12 weeks. Skills, expertise and experience
The E*Business Security Adviser should demonstrate strong competencies in security auditing and consulting services and have worked on many security projects for several large customers such as Banks, Credit Card companies, Telecommunications and/or Governmental agencies operating Web based transactional systems. His experience must include several e-commerce, e-payments and infrastructure projects.
The Adviser holds several professional certifications: Certified Information Systems Auditor (CISA), Certified Information Systems Security Professional (CISSP), Certified Ethical Hacking (CEH) and Information Systems Security Management Professional (ISSMP). Ideally he is member of one of the following organization: the Internet Society (ISOC) and/or the Internet Corporation for Assigned Names and Numbers (ICANN) and/or the Security and Stability Advisory Committee (SSAC).
The expertise and experience required are: -
•Recognized University degree in Engineering or Computing Sciences a strong focus on System Engineering and Information Technology;
•Specialized Certificate in « Governance, audit and IT security from a recognized Institute;
•10 years of professional experience in Information Technology, of which 5 years as IT Security specialist;
•Completion of minimum 3 projects in implementing E*Business security in medium and large corporation;
•Proven business and consulting expertise;
o Ability to articulate complex business and technical concepts to senior level executives;
•Proven system engineering and technical expertise;
o Expertise and experience with CISCO equipment;
o Expertise and experience designing and implementing security system Spoken and written English. Spoken and written French not mandatory but highly
Done at Kigali, on 09 /09/ 2011
Seth MUHIRWA Director of Human Resources & Administration