Comprehensive Information

IAEA Specification
Security Risk Assessment
And Remediation Roadmap
Dated 30 September 2014

STATEMENT OF WORK

Comprehensive Information Security Risk Assessment

and Information Security Roadmap

1. Scope
This Statement of Work (SOW) describes the requirements for a Comprehensive
Information Security Risk Assessment and a Five-year Information Security Roadmap
with detailed Recommendations for the IAEA.

The IAEA has been a target of sophisticated attacks to infiltrate its IT infrastructure. IAEA
Management recognizes this new threat environment and is cognizant of the fact that
appropriate measures have to be taken to significantly improve the IAEA’s security
posture and equip the IAEA to deal with the next level of information security threats.

With the assistance from the IAEA Project Lead and the Office of the CIO, the IAEA
seeks a Contractor to perform an Information Security Risk Assessment by performing an
in-depth review of the existing information security posture based on information
gathered from various sources, and, using the results and industry best practices,
prepare Recommendations and an Agency-wide Five Year Roadmap for improving the
information security posture of the IAEA. The Five-Year Roadmap is the ultimate
deliverable of this engagement.

Business continuity and related processes are not included in the scope of this activity.

2. Applicable Documents
The following documents shall be applicable for the work to the extent specified
hereinafter:
• ISO/IEC 27000 Series
• ISO/IEC 31000 Series
In the event of conflict between the documents listed above and the content of this
Specification, the content of this Specification shall take precedence to the extent of the
conflict.

3. Requirements
The Contractor and its engaged technical staff(s) shall carry out the activities listed
here below and provide the deliverables specified.

3.1. Schedule and Place

3.1.1. The length of the total engagement shall be no longer than three (3) calendar
months; and
3.1.2. For the initial kick-off of the engagement, review of confidential information
and for any needed stakeholder interviews, the Contractor shall work on-site
at the IAEA Headquarters in Vienna, Austria, with assistance from the IAEA
Project Lead and the Office of the CIO. The on-site work may, by necessity,
be extensive and include weekend effort.

Page 1 of 8
Comprehensive Information
IAEA Specification
Security Risk Assessment
And Remediation Roadmap
Dated 30 September 2014

3.2. Profile and Qualifications

All Contractors’ engaged staff on this account shall have/be:
3.2.1. Experience:
3.2.1.1. A minimum of 10 years of working experience covering a majority of
the areas detailed in sections 3.3 and 3.4;
3.2.1.2. Familiarity with ISO 27000; and
3.2.1.3. Relevant certifications (CISSP, CISA, CRISC or any GIAC
Intermediate or Advanced) in good standing.

3.2.2. Personnel qualities:

3.2.2.1. Strong facilitation and communication skills; and
3.2.2.2. Fluency in English (oral and written).

3.2.3. The Contractor’s Project Manager working on this account shall have
extensive experience managing consulting engagements for high-profile clients.

3.2.4. The Subject Matter Experts (Technical) working on this account shall have/be:
3.2.4.1. Extensive and proven technical experience in information security and
performing the services listed in Sections 3.3 and 3.4;
3.2.4.2. Strong understanding of security controls in the environments
described in the Attachment 1 (‘IAEA Information and IT Technology
Environment Description’) and be able to technically assess multi-
protocol and –platform operating and development environments; and
3.2.4.3. Additional relevant certifications such as GIAC Advanced or Expert,
Certified Ethical Hacker, or equivalent.

3.2.5. The Subject Matter Experts (Governance) shall have/be:

3.2.5.1. Strong and proven experience in governance, organizational and
operational security; and
3.2.5.2. Extensive experience performing governance, organizational and
operational security assessments with strong knowledge of industry
standards and best practices.

3.3. Perform an Agency-wide Information / IT Security Risk Assessment

The Contractor shall perform an in-depth review of the As-Is environment, identifying
threat and attack vectors, and analyzing impacts and risks to the IAEA;
3.3.1. Guided by industry and company best practice methodologies, the Contractor
shall provide an approach or framework for collecting and assessing the
information necessary for creating the Roadmap. Within this framework, the
Contractor shall:
3.3.1.1. Define a project plan for the full length of the engagement, including
high level milestones (including the assessment, recommendations
and roadmap);
3.3.1.2. Define whether and to what extent technical assessments will be
required in addition to or validation of the extensive documentation
described in Section 5.2;
3.3.1.3. Define whether and how many facilitated sessions will be required;
3.3.1.4. Draft agendas for each session;
3.3.1.5. Define the key people required and the expected deliverables;

Page 2 of 8
Comprehensive Information
IAEA Specification
Security Risk Assessment
And Remediation Roadmap
Dated 30 September 2014

3.3.2. This Risk Assessment shall include the following major topic areas and should
cover the detailed areas listed:
3.3.2.1. Information Security Governance
1.1.1.1.1. Governance and Compliance Activities;
1.1.1.1.2. Information Security Strategy;
1.1.1.1.3. Information Security Policies and Procedures;
1.1.1.1.4. Information Security Risk Management; and
1.1.1.1.5. Information Security Metrics Reporting

1.1.1.2. People
1.1.1.2.1. Information Security Staffing, Roles and Responsibilities;
1.1.1.2.2. Information Security Skills;
1.1.1.2.3. Information Security Education and Awareness; and
1.1.1.2.4. Information Security Organization and Reporting structures

1.1.1.3. Processes
1.1.1.3.1. Identity and Access Management;
1.1.1.3.2. Information Classification and Handling;
1.1.1.3.3. Information Security Architecture;
1.1.1.3.4. Threat and Vulnerability Management;
1.1.1.3.5. Information Security Incident Management;
1.1.1.3.6. Certification and Accreditation;
1.1.1.3.7. Asset Management;
1.1.1.3.8. Audit and Assessment;
1.1.1.3.9. Logging and Monitoring;
1.1.1.3.10. Application and system acquisition and development;
1.1.1.3.11. Secure Systems Development Life Cycle;
1.1.1.3.12. Change Management;
1.1.1.3.13. Core Infrastructure Management;
1.1.1.3.14. Risk Assessments; and
1.1.1.3.15. Compliance

1.1.1.4. Technologies
1.1.1.4.1. Networks;
1.1.1.4.2. Databases;
1.1.1.4.3. Operating Systems;
1.1.1.4.4. Virtual Environments;
1.1.1.4.5. Applications;
1.1.1.4.6. End Points;
1.1.1.4.7. Mobile Devices;
1.1.1.4.8. Messaging Systems;
1.1.1.4.9. Telecommunications;
1.1.1.4.10. Storage;
1.1.1.4.11. Document Management Systems;
1.1.1.4.12. Active Directory;
1.1.1.4.13. Identity / Access Management Systems;
1.1.1.4.14. Laboratory and Analysis Systems; and
1.1.1.4.15. Remote Access Systems

Page 3 of 8
Comprehensive Information
IAEA Specification
Security Risk Assessment
And Remediation Roadmap
Dated 30 September 2014

3.3.3. The Contractor shall notify the IAEA Project Lead promptly of any existing
vulnerabilities identified that pose a significant and immediate threat to the IAEA.

3.3.4. The Contractor shall develop a Risk Assessment Report, which shall include
at a minimum, but not be limited to, the following topics:
3.3.4.1.1. The identification of policy, process, personnel and technical
vulnerabilities with asset and criticality details based on the risk
analysis;
3.3.4.1.2. An evaluation of the risk level for each critical asset deemed vulnerable
and subject to specific threats;
3.3.4.1.3. The identification of existing and proposed safeguards, and an
assessment of their adequacy;
3.3.4.1.4. The identification and assessment of residual risks that need to be
addressed;
3.3.4.1.5. Risk prioritization;
3.3.4.1.6. An analysis of the consequences/impact of the potential threats, and
an evaluation of the likelihood of occurrence;
3.3.4.1.7. A threat model including the identification of potential accidental and
deliberate threat and attack vectors to those assets; and
3.3.4.1.8. Benchmarking of the IAEA security posture against similar industry
(international and intelligence organizations, or equivalent) / best
practices / maturity scale;
3.3.5. The Contractor shall provide draft iterations of the above deliverable to the
IAEA for the purpose of clarification of information as required. Prior to
acceptance of the final versions of the deliverables, the Contractor shall
organize a formal review meeting with the IAEA.

3.4. Create an Agency-wide Five-Year Roadmap

3.4.1. The Contractor shall utilize the results of the risk assessment to develop an
Agency-wide Information Security Five-Year Roadmap including:
3.4.1.1. Detailed and achievable Recommendations Report to remediate the
risks identified;
3.4.1.2. Identification of security projects based on individual or combined
recommendations with detailed activities and action plans;
3.4.1.3. Appropriate milestones and key performance indicators to enhance the
IAEA’s information security posture and address key risk findings;
3.4.1.4. Prioritization of the projects based on risk, with a timeline based on
annual efforts;
3.4.1.5. Time, cost estimates and interdependencies for implementation for
each of the projects;
3.4.1.6. An assessment of how the implementation of each project would
remediate the risk and position the IAEA vis-à-vis industry best
practice;
3.4.1.7. An assessment for each project regarding whether its implementation
would result in ongoing operational expenses (in terms of resources
and in terms of recurring operational costs) and whether there are
alternatives to deliver them through managed service providers or
cloud service providers; and
3.4.1.8. Identification of Stakeholders, Dependencies and Project outcomes;

Page 4 of 8
Comprehensive Information
IAEA Specification
Security Risk Assessment
And Remediation Roadmap
Dated 30 September 2014

3.4.2. The Contractor shall be responsible for providing meeting summaries and a
draft roadmap document for review and discussion; and
3.4.3. The Contractor shall provide draft iterations of the above deliverable to the
IAEA for the purpose of clarification of information as required. Prior to
acceptance of the final versions of the deliverables, the Contractor shall
organize a formal review meeting with the IAEA.

3.5. Quality assurance and monitoring of work deliverables

3.5.1. All work shall be monitored and assessed by the IAEA Project Lead and the
Office of the Director-MTIT/CIO, who will act as the primary representatives of
the IAEA; and
3.5.2. The Contractor shall provide the IAEA with regular updates either via email or
internet-supported or in-person meetings to touch base and review progress as
required. Updates shall be provided biweekly or as requested by the IAEA.

3.6. Formal acceptance of deliverables/specialist products

3.6.1. All interim drafts and final deliverables shall be provided in electronic format.
Prior to acceptance of the final versions of the deliverables, the Contractor shall
organize a formal review meeting with the IAEA; and
3.6.2. The Contractor shall prepare and present (using PowerPoint) the Risk
Assessment Report and Five-Year Roadmap to the IAEA CIO and Senior
Management.

4. Deliverable Data Items

The Contractor shall deliver the following data items:

4.1. A detailed Project Plan with activities planned in all phases of the engagement;

4.2. A detailed Risk Assessment report and presentation (as defined in the Requirements
section 3.3) in an electronic format prepared for and presented to the CIO and
Senior Management of the Agency;

4.3. A Recommendations Report, detailed Five Year Roadmap and Presentation (as
defined in the Requirements section 3.4) for improving the IAEA’s information security
posture by addressing key risks in an electronic format prepared for the CIO and
Senior Management of the Agency; and

4.4. All artefacts such as questionnaires, interview notes, minutes, testing results, working
sheets, draft reports and any other data created along with all information provided by
the IAEA along with the final report.

5. IAEA Responsibilities
5.1. The IAEA will allocate a Project Lead who will be the focal point of contact within the
Office of the Director-MTIT/CIO for the duration of the engagement;

5.2. The IAEA will provide extensive documentation at the initiation of the risk
assessment, including:
5.2.1. Information and IT security relevant policies, procedures and guidance
documents;
5.2.2. Detailed audit and security assessment results covering information and IT
processes and technologies;

Page 5 of 8
Comprehensive Information
IAEA Specification
Security Risk Assessment
And Remediation Roadmap
Dated 30 September 2014

5.2.3. Selected incident data and reports;

5.2.4. Network, security, system and architecture diagrams and documentation; and
5.2.5. An on-site working space and computers in Vienna for review and assessment
of any classified information that may not be removed from the site.

5.3. The IAEA staff will provide assistance to the Contractor by;
5.3.1. Setting up stakeholder engagements (meetings, workshops etc.);
5.3.2. Providing access to any further information as required (additional
documentation);
5.3.3. Acting as reviewer of drafts, proposals and approaches produced by the
Contractor’s engaged staff(s);
5.3.4. Acting as approver for the final deliverables throughout the engagement; and
5.3.5. Providing an on-site working space (meeting room) when the Contractor’s
staff are at the IAEA in Vienna; and
5.3.6. Providing on-site technical and staff resources in support of technical
assessments as agreed by the Contractor and the IAEA.
_______________________________________________________________

Page 6 of 8
Comprehensive Information
IAEA Specification
Security Risk Assessment
And Remediation Roadmap
Dated 30 September 2014

Attachment 1
IAEA Information and IT Technology Environment Description

1.1. Information and communication systems are central to the IAEA’s mission and daily
business activities, as they are utilized to routinely exchange information among
management and staff, with member states and other third parties in the public and
private sectors. This is accomplished through the normal enterprise business and
communications systems, restricted access and public web and collaboration
services and staff remote access systems that are hosted both internally and in
cloud-based systems. In addition to the systems supporting daily business activities,
the IAEA has information and communications systems supporting the highly
sensitive Nuclear Security and Safeguards activities.

1.2. The information technology infrastructure supports ~3000 users (staff and
consultants) located at one primary location (Vienna International Centre) with four
additional permanent facilities located in Austria, Canada, Monaco and Japan.

1.3. The IAEA has a partially centralized IT management organizational structure.

Centralized IT management provides network, server, end point and security
operations planning and administration as well as software development and
maintenance. Additionally, there are staff members within divisions throughout the
Agency providing software development, server-based applications administration
and local IT client support.

1.4. While all staff members have information security responsibilities, the IAEA has a
number of staff positions dedicated to security functions. These include:
• Central Security Coordinator (responsible for all aspects of security except for
Information Security)
• Chief Information Security Officer (a newly created position currently being
recruited)
• Safeguards Information Security Officer
• Security operations groups, supporting
o Access control
o Threat management
o Incident response
o IT security engineering
• Information and IT security engineers, supporting
o Risk management
o Security assessments
o Secure design and development

1.5. The IAEA has a formal information security policy. There are also Agency policies
related to various information security related activities. Additionally, each
Department may also issue additional policies and the Department of Safeguards
has policy and procedures focused on protecting the confidentiality and integrity of
the sensitive information that is central to their mission. On an ongoing basis, both
internal and external audits and security assessments are performed.

Page 7 of 8
Comprehensive Information
IAEA Specification
Security Risk Assessment
And Remediation Roadmap
Dated 30 September 2014

1.6. The technology underlying these services that are administered by IAEA staff
includes;

• 400+ Servers, physical and virtualized (highly virtualized), Windows and

Linux (predominantly Windows);
• 3000+ client computers (desktop and notebook, Windows, MAC and Linux,
predominantly Windows);
• Mobile devices (Blackberry, iPad, iPhone);
• MS Active Directory, multiple forests/multiple domains and additional
standalone domains (such as for the DMZ);
• Cisco IPv4 wired and wireless networks, supporting client and server
environments and Internet access;
• Network security systems providing access control; threat identification and
blocking; centralized logging and Security Event and Incident Management;
• Multiple inter-site network communications connections;
• Multiple remote access systems;
• On-site dedicated data centers and rooms;
• Cloud-based and outsourced resources;
• Centralized and local IT Service Desks;
• Commercial and bespoke applications, client, client-server and web-based;
• Specialized laboratory and remote monitoring applications and systems;
o The deployed remote monitoring systems are out of scope for this
assessment;
• Disaster recovery infrastructure;
o Reference 1.3, the functionality of this infrastructure is out of scope.
However, connectivity with the production infrastructure is in scope.

1.7. Application and system development is provided by IAEA staff and consultants for in-
house and technology transfer projects, utilizing multiple platforms and languages.

Page 8 of 8