Beruflich Dokumente
Kultur Dokumente
IAEA Specification
Security Risk Assessment
And Remediation Roadmap
Dated 30 September 2014
STATEMENT OF WORK
1. Scope
This Statement of Work (SOW) describes the requirements for a Comprehensive
Information Security Risk Assessment and a Five-year Information Security Roadmap
with detailed Recommendations for the IAEA.
The IAEA has been a target of sophisticated attacks to infiltrate its IT infrastructure. IAEA
Management recognizes this new threat environment and is cognizant of the fact that
appropriate measures have to be taken to significantly improve the IAEA’s security
posture and equip the IAEA to deal with the next level of information security threats.
With the assistance from the IAEA Project Lead and the Office of the CIO, the IAEA
seeks a Contractor to perform an Information Security Risk Assessment by performing an
in-depth review of the existing information security posture based on information
gathered from various sources, and, using the results and industry best practices,
prepare Recommendations and an Agency-wide Five Year Roadmap for improving the
information security posture of the IAEA. The Five-Year Roadmap is the ultimate
deliverable of this engagement.
Business continuity and related processes are not included in the scope of this activity.
2. Applicable Documents
The following documents shall be applicable for the work to the extent specified
hereinafter:
• ISO/IEC 27000 Series
• ISO/IEC 31000 Series
In the event of conflict between the documents listed above and the content of this
Specification, the content of this Specification shall take precedence to the extent of the
conflict.
3. Requirements
The Contractor and its engaged technical staff(s) shall carry out the activities listed
here below and provide the deliverables specified.
Page 1 of 8
Comprehensive Information
IAEA Specification
Security Risk Assessment
And Remediation Roadmap
Dated 30 September 2014
3.2.3. The Contractor’s Project Manager working on this account shall have
extensive experience managing consulting engagements for high-profile clients.
3.2.4. The Subject Matter Experts (Technical) working on this account shall have/be:
3.2.4.1. Extensive and proven technical experience in information security and
performing the services listed in Sections 3.3 and 3.4;
3.2.4.2. Strong understanding of security controls in the environments
described in the Attachment 1 (‘IAEA Information and IT Technology
Environment Description’) and be able to technically assess multi-
protocol and –platform operating and development environments; and
3.2.4.3. Additional relevant certifications such as GIAC Advanced or Expert,
Certified Ethical Hacker, or equivalent.
Page 2 of 8
Comprehensive Information
IAEA Specification
Security Risk Assessment
And Remediation Roadmap
Dated 30 September 2014
3.3.2. This Risk Assessment shall include the following major topic areas and should
cover the detailed areas listed:
3.3.2.1. Information Security Governance
1.1.1.1.1. Governance and Compliance Activities;
1.1.1.1.2. Information Security Strategy;
1.1.1.1.3. Information Security Policies and Procedures;
1.1.1.1.4. Information Security Risk Management; and
1.1.1.1.5. Information Security Metrics Reporting
1.1.1.2. People
1.1.1.2.1. Information Security Staffing, Roles and Responsibilities;
1.1.1.2.2. Information Security Skills;
1.1.1.2.3. Information Security Education and Awareness; and
1.1.1.2.4. Information Security Organization and Reporting structures
1.1.1.3. Processes
1.1.1.3.1. Identity and Access Management;
1.1.1.3.2. Information Classification and Handling;
1.1.1.3.3. Information Security Architecture;
1.1.1.3.4. Threat and Vulnerability Management;
1.1.1.3.5. Information Security Incident Management;
1.1.1.3.6. Certification and Accreditation;
1.1.1.3.7. Asset Management;
1.1.1.3.8. Audit and Assessment;
1.1.1.3.9. Logging and Monitoring;
1.1.1.3.10. Application and system acquisition and development;
1.1.1.3.11. Secure Systems Development Life Cycle;
1.1.1.3.12. Change Management;
1.1.1.3.13. Core Infrastructure Management;
1.1.1.3.14. Risk Assessments; and
1.1.1.3.15. Compliance
1.1.1.4. Technologies
1.1.1.4.1. Networks;
1.1.1.4.2. Databases;
1.1.1.4.3. Operating Systems;
1.1.1.4.4. Virtual Environments;
1.1.1.4.5. Applications;
1.1.1.4.6. End Points;
1.1.1.4.7. Mobile Devices;
1.1.1.4.8. Messaging Systems;
1.1.1.4.9. Telecommunications;
1.1.1.4.10. Storage;
1.1.1.4.11. Document Management Systems;
1.1.1.4.12. Active Directory;
1.1.1.4.13. Identity / Access Management Systems;
1.1.1.4.14. Laboratory and Analysis Systems; and
1.1.1.4.15. Remote Access Systems
Page 3 of 8
Comprehensive Information
IAEA Specification
Security Risk Assessment
And Remediation Roadmap
Dated 30 September 2014
3.3.3. The Contractor shall notify the IAEA Project Lead promptly of any existing
vulnerabilities identified that pose a significant and immediate threat to the IAEA.
3.3.4. The Contractor shall develop a Risk Assessment Report, which shall include
at a minimum, but not be limited to, the following topics:
3.3.4.1.1. The identification of policy, process, personnel and technical
vulnerabilities with asset and criticality details based on the risk
analysis;
3.3.4.1.2. An evaluation of the risk level for each critical asset deemed vulnerable
and subject to specific threats;
3.3.4.1.3. The identification of existing and proposed safeguards, and an
assessment of their adequacy;
3.3.4.1.4. The identification and assessment of residual risks that need to be
addressed;
3.3.4.1.5. Risk prioritization;
3.3.4.1.6. An analysis of the consequences/impact of the potential threats, and
an evaluation of the likelihood of occurrence;
3.3.4.1.7. A threat model including the identification of potential accidental and
deliberate threat and attack vectors to those assets; and
3.3.4.1.8. Benchmarking of the IAEA security posture against similar industry
(international and intelligence organizations, or equivalent) / best
practices / maturity scale;
3.3.5. The Contractor shall provide draft iterations of the above deliverable to the
IAEA for the purpose of clarification of information as required. Prior to
acceptance of the final versions of the deliverables, the Contractor shall
organize a formal review meeting with the IAEA.
Page 4 of 8
Comprehensive Information
IAEA Specification
Security Risk Assessment
And Remediation Roadmap
Dated 30 September 2014
3.4.2. The Contractor shall be responsible for providing meeting summaries and a
draft roadmap document for review and discussion; and
3.4.3. The Contractor shall provide draft iterations of the above deliverable to the
IAEA for the purpose of clarification of information as required. Prior to
acceptance of the final versions of the deliverables, the Contractor shall
organize a formal review meeting with the IAEA.
4.1. A detailed Project Plan with activities planned in all phases of the engagement;
4.2. A detailed Risk Assessment report and presentation (as defined in the Requirements
section 3.3) in an electronic format prepared for and presented to the CIO and
Senior Management of the Agency;
4.3. A Recommendations Report, detailed Five Year Roadmap and Presentation (as
defined in the Requirements section 3.4) for improving the IAEA’s information security
posture by addressing key risks in an electronic format prepared for the CIO and
Senior Management of the Agency; and
4.4. All artefacts such as questionnaires, interview notes, minutes, testing results, working
sheets, draft reports and any other data created along with all information provided by
the IAEA along with the final report.
5. IAEA Responsibilities
5.1. The IAEA will allocate a Project Lead who will be the focal point of contact within the
Office of the Director-MTIT/CIO for the duration of the engagement;
5.2. The IAEA will provide extensive documentation at the initiation of the risk
assessment, including:
5.2.1. Information and IT security relevant policies, procedures and guidance
documents;
5.2.2. Detailed audit and security assessment results covering information and IT
processes and technologies;
Page 5 of 8
Comprehensive Information
IAEA Specification
Security Risk Assessment
And Remediation Roadmap
Dated 30 September 2014
5.3. The IAEA staff will provide assistance to the Contractor by;
5.3.1. Setting up stakeholder engagements (meetings, workshops etc.);
5.3.2. Providing access to any further information as required (additional
documentation);
5.3.3. Acting as reviewer of drafts, proposals and approaches produced by the
Contractor’s engaged staff(s);
5.3.4. Acting as approver for the final deliverables throughout the engagement; and
5.3.5. Providing an on-site working space (meeting room) when the Contractor’s
staff are at the IAEA in Vienna; and
5.3.6. Providing on-site technical and staff resources in support of technical
assessments as agreed by the Contractor and the IAEA.
_______________________________________________________________
Page 6 of 8
Comprehensive Information
IAEA Specification
Security Risk Assessment
And Remediation Roadmap
Dated 30 September 2014
Attachment 1
IAEA Information and IT Technology Environment Description
1.1. Information and communication systems are central to the IAEA’s mission and daily
business activities, as they are utilized to routinely exchange information among
management and staff, with member states and other third parties in the public and
private sectors. This is accomplished through the normal enterprise business and
communications systems, restricted access and public web and collaboration
services and staff remote access systems that are hosted both internally and in
cloud-based systems. In addition to the systems supporting daily business activities,
the IAEA has information and communications systems supporting the highly
sensitive Nuclear Security and Safeguards activities.
1.2. The information technology infrastructure supports ~3000 users (staff and
consultants) located at one primary location (Vienna International Centre) with four
additional permanent facilities located in Austria, Canada, Monaco and Japan.
1.4. While all staff members have information security responsibilities, the IAEA has a
number of staff positions dedicated to security functions. These include:
• Central Security Coordinator (responsible for all aspects of security except for
Information Security)
• Chief Information Security Officer (a newly created position currently being
recruited)
• Safeguards Information Security Officer
• Security operations groups, supporting
o Access control
o Threat management
o Incident response
o IT security engineering
• Information and IT security engineers, supporting
o Risk management
o Security assessments
o Secure design and development
1.5. The IAEA has a formal information security policy. There are also Agency policies
related to various information security related activities. Additionally, each
Department may also issue additional policies and the Department of Safeguards
has policy and procedures focused on protecting the confidentiality and integrity of
the sensitive information that is central to their mission. On an ongoing basis, both
internal and external audits and security assessments are performed.
Page 7 of 8
Comprehensive Information
IAEA Specification
Security Risk Assessment
And Remediation Roadmap
Dated 30 September 2014
1.6. The technology underlying these services that are administered by IAEA staff
includes;
1.7. Application and system development is provided by IAEA staff and consultants for in-
house and technology transfer projects, utilizing multiple platforms and languages.
Page 8 of 8