Terms of Reference – IT Security and Systems Configuration Auditor

Deadline: December 21, 2023
Open Job


The African Population and Health Research Center (APHRC) is a leading Africa-based, African-led, international research institution headquartered in Nairobi, Kenya, with a regional office in Dakar, Senegal. Our researchers are contributing to the body of evidence about the critical issues in population health and wellbeing impeding Africa’s development in order to provide strong direction and recommendations to policy and decision-makers at all levels. Our priority research areas are Human Development, Health and Well-Being, Data Science and Evaluation, and Population Dynamics and Urbanization in Africa. In addition to the research component, APHRC has other programmatic areas in Research and Related Capacity Strengthening, Policy Engagement and Communications and International programs.


APHRC wishes to engage a consultant to conduct IT systems review and provide assurance that network and application security threats are known and that the necessary protection measures are put in place to ensure that the entity will achieve:

  • Confidentiality: Ensuring that information is accessible to authorised personnel.
  • Integrity: Safeguarding the accuracy and completeness of information and processing methods.
  • Availability: Ensuring that authorised users have access to information and resources when required.
  • Adequacy of policies, procedures and compliance with existing procedures.


APHRC has implemented various information systems in a bid to improve efficiency and effectiveness in the delivery of its mandate. To ensure that the information systems are safeguarding our assets, maintaining data confidentiality, integrity, and availability and operating at optimum levels, APHRC is looking for a qualified  consultant to conduct vulnerability scanning, penetration testing and review of our logical security perimeter, as well as provide cybersecurity-awareness training to all APHRC employees. The testing process should follow standard methodologies such as target identification, enumeration, vulnerability assessment, exploitation attempt, clean-up, and reporting. The testing must be non-destructive and non-intrusive. APHRC should not experience DDOS (Denial of Service attacks), Data loss & destruction and lost time or access impairment in the delivery of this project. The training should be inclusive, with proof provided that all staff have been trained, and certificates provided on completion. Based on known, consensus best practices, a wealth of practical experience and expertise from the technology industry, this exercise will provide the education and guidance needed to understand and improve APHRC’s information security posture. The objective is to carry out a comprehensive review and examination of information communication and technology assets at APHRC. This will involve evaluating the system’s internal control design and effectiveness and an examination of the network perimeter, system security, database security, and cloud operation’s security. The consultant shall report on the conclusions reached from the review of the systems and recommend suitable measures for correcting any deficiencies identified during the process. APHRC is then able to measure the security and resilience of its systems, and level of the cyber threat to its end users. During the exercise, the consultant will be required to work with the IT staff to ensure that the exercise is carried out successfully by following all required steps.


Our risk based approach delineate the requirements/scope into the following  sections as described below:

  1. Anonymous information gathering to discover all internet-facing assets a hacker could identify as potential entry-points into the organisation’s network and infrastructure.
  2. Scanning of internet-available servers and web services for known vulnerabilities.
  3. Verifying scan-result findings through in-depth manual penetration testing attack techniques.
  4. Providing deeply informed remediation guidance and advisory services for identified/verified vulnerabilities.
  5. External and internal network vulnerability assessment and penetration testing.
  6. Internal web application penetration testing.
  7. Server security and configuration reviews.
  8. Database security and configuration reviews.
  9. Third party interconnection reviews such as bank integration, vendor database, API reviews etc.
  10. Application security configuration reviews for systems such as MS Business Central Dynamics 365 and portals.
  11. System configuration and change management reviews.
  12. Access, authorisation, and session management testing for all users and administrators.
  13. Denial of service testing.
  14. Data validation testing.
  15. Cloud firewall and virtual network configuration reviews and testing.
  16. Cloud environment security assessment.
  17. VPN configuration reviews.
  18. Intrusion detection/prevention system testing- Kaspersky Cloud security.
  19. Password service strength testing.
  20. Email security testing such as phishing and malware control.
  21. DR testing such as backup and restore, redundancy and environment segregation.
  22. ERP configurations vulnerabilities.
  23. Maintenance of active directory (AD).


Train APHRC staff on cybersecurity awareness.


Target Identification

In this planning and reconnaissance stage, the consultant and the APHRC IT staff will define the scope and goals of the tests. This will include the systems to be accessed and testing methods to be used. The systems to be addressed will be servers and cloud infrastructure.

The consultant will be gathering intelligence to better understand how a target works and its potential vulnerabilities. APHRC’s IT team will provide any required documentation/information such as internet protocols (IPs) to the winning bidder.

Scanning & Enumeration

The next step is to understand how the target application will respond to various intrusion attempts providing a real-time view into an application performance. All services that will be tested should be enumerated at this stage.

Vulnerability Assessment & Gaining Access.

This stage uses web application attacks, such as cross-site scripting, SQL injection and backdoors, to uncover the target’s vulnerabilities. The testers try to exploit these vulnerabilities, typically by escalating privileges, stealing data, intercepting traffic, etc., to understand the damage they can cause.

Exploitation & Maintaining Access.

The goal of this stage is to see if the vulnerability can be used to achieve a persistent presence in the exploited system— long enough for a bad actor to gain in-depth access. The idea is to imitate advanced persistent threats, which often remain in a system for months to steal an organisation’s most sensitive data.

Report and Analysis

The consultant will be required to give a report on the exercise, which outlines key objectives and findings such as: Specific vulnerabilities that were exploited, sensitive data that was accessed, the amount of time the penetration tester was able to remain in the system undetected. The consultants will also be required to develop a roadmap showing the recommended controls to be implemented to resolve gaps identified during the penetration test engagement. The roadmap will be built upon an agreed timeline. Individual analysis reports will be provided for each firewall, standalone device, and system.

Training & Presentation of Findings

A presentation of key findings will be presented to the APHRC team which summarises the findings documented in the report. Training on impact and how to carry out remediation will be conducted for all APHRC IT staff.

All APHRC employees will receive two graded cyber-security awareness training sessions. Topics that will be covered in each of the cybersecurity awareness training sessions are not limited to:

  • Phishing, malware and ransomware.
  • Password security.
  • Removable media, encryption and backup.
  • Social engineering and social media.
  • Browser and mobile security.
  • Incident reporting, response and management.
  • Wi-Fi- public and corporate Wi-Fi.
  • Privacy, multi factor authentication, single-sign-on.


The consultant is expected to deliver:

  • Inception report within two weeks of signing of contract.
  • Penetration test report with detailed recommendation and action plan.
  • User awareness training.
  • Report & Handover. The contracted firm is expected to provide an actionable report with detailed findings and appropriate recommendations as well as an implementation plan agreed on with Management to correct the deficiencies.


Project Schedule

Provide a detailed schedule showing your work breakdown, activity sequence, key milestones, and a confirmation of your ability to meet the milestones. You will specify the methods and tools that you will use to measure and monitor effectiveness of the assignment.

Project Cost

An itemised project cost that references each identified activity / milestone and its associated costs. The budget should cover professional and reimbursable fees, fee rates, number of days and a breakdown of the expenses.


Please provide a reference to at least three corporate clients who have successfully undergone a similar assignment. Submit contract/Local Service Order/Letter of Award in the English language. You can share recommendation letters from these clients as well of work done in the past 24 months that involved the delivery of vulnerability assessment, penetration testing and cyber-security awareness training services. The proposal should contain at least two detailed CVs of the team who will undertake the VAPT & cyber awareness training.

Mandatory requirements
A well-established cyber security focused firm with a good track record of working on providing cybersecurity services in Kenya and the wider region.
Solid knowledge and demonstrated experience in conducting cybersecurity reviews, vulnerability, and pen testing, providing training and providing actionable insights on the outcome of the reviews.
Ability to turn around the assignment and deliver within the set deadlines.
Previous experience in Google Workspace and cloud, Microsoft Business central security audit (Rich client and Web Portal), Microsoft SQL Database audit.



Assessment criteria Weighting (%)
Experience of the Consultant/firm
A well-established cyber security focused firm with a good track record of working on providing cybersecurity services in Kenya and the wider region for at least five years. 10
Solid knowledge and demonstrated experience in conducting cybersecurity reviews, vulnerability, and pen-testing, providing training. Solid knowledge and demonstrated experience in conducting cybersecurity reviews, vulnerability, and pretesting, providing training and providing actionable insights on the outcome of the reviews with three letters of reference. 25
Approach and methodology
Methodology/approach for the assignment as outlined in the Scope including rationale for chosen methodology including methods and tools that will be used. 25
Content, quality, and completeness of the proposal – Demonstrable understanding of the TORs 10
Staff schedule, work and deliverable schedule
Adequacy of the proposed staff schedule to meet the needs of the ToR 10
Responsiveness of proposed work plan in relation to the ToR 10
Key Professional Personnel Qualification for the Assignment Note: Bidders to respond in relation to the Key personnel requirement and evaluation criteria in this section
Responsiveness of the CVs to the requirements of the ToR 10


APHRC will undertake a due diligence assessment and screening of the preferred bidder to include reference checks. APHRC will share a Third-party screening questionnaire to aid in processing the assessment and screening. APHRC reserves the right to proceed or reject bidder(s) depending on the outcome of this assessment and consider the next ranked bidder. The findings of this assessment will be kept confidential and used internally for the purposes of this evaluation.

If you would like to lodge a complaint in regard to this procurement process, please write to procurement@aphrc.org  with the address IT security and Configuration Audit. APRHC procurement team will acknowledge receipt of the complaint in writing.


Interested bidders should send proposals by email to consultancies@aphrc.org and copy procurement@aphrc.org  on or before 21st  December 2023, at 17:00 HRS (EAT) with the subject line “IT security and Configuration Audit” If you have any clarification questions, please email us at consultancies@aphrc.org  no later than 5th December 2023. Only shortlisted candidates will be contacted.


APHRC is an equal opportunity employer committed to creating a diverse and inclusive workplace. All employment decisions are made based on qualifications and organizational needs. Reasonable accommodation may be provided to applicants with disabilities upon request to support their participation in the recruitment process.