Advanced Search

Expression of Interest: Information Systems Audit

09 June 2008, Bank of Mauritius

1. The Bank of Mauritius (Bank) intends to have an Information Systems (IS) Audit that will determine the security and policy decisions required to ensure the protection of all internal information resources. The Bank invites Expressions of Interest from consultants/consulting firms having a minimum of five years experience and a proven track record in projects of a similar nature, who wish to carry out the IS Audit exercise at the Bank.

2. The IS Audit will entail conducting a risk assessment of the IS Systems at the Bank: identification and evaluation of the risks. In the light of the risk assessment exercise, the selected consultants/consulting firms should recommend and assist in implementing a set of best practices governing the Management of Information Systems at the Bank.

3. The duration of the IS Audit exercise is expected to be around 10 weeks. The consultants/consulting firms should deliver at the end of the Audit exercise, a complete Audit Report comprising an Executive Summary, Findings and Recommendations which should include, but not limited to, System Vulnerabilities, Security Program Management of Information Technology Resources and Application Life Cycle Controls. The Terms of Reference for the IS Audit are annexed.

4. Expressions of Interest shall include the qualifications and experience of the consultants/resource persons from consulting firms. Details of similar projects carried out by the consultants/consulting firms shall also be included. Expressions of interest received after the date and time stated in paragraph 7 below will not be considered.

5. The Bank reserves the right to accept or reject any expression of interest and to annul the exercise and reject all expressions of interest without thereby incurring any liability to any participant or any obligation to inform those who have expressed interest of the grounds of its action.

6. Selected consultants/consulting firms shall be convened at the Bank for a detailed presentation of the IS Audit exercise.

7. Expressions of Interest shall be forwarded by e-mail to head.corp.services@bom.intnet.mu or submitted in a sealed envelope to the Head, Corporate Services Division, Bank of Mauritius, Sir William Newton Street, Port Louis so as to reach him by 17.00 hours on Friday 20 June 2008 at latest. The words “Expression of Interest – Information Systems Audit” should be clearly marked on the top left hand corner of the envelope.

Terms of Reference 

A comprehensive Information Systems Security Audit must be undertaken covering the various key processes and procedures undertaken at the following two locations / sites:-

i) IT Section location at the Bank of Mauritius Headquarters

ii) Bank’s Disaster Recovery Centre at Free Port – Mer Rouge

A complete audit of the Systems shall be completed within ten (10) weeks after the award of contract.

The IS/IT Audit at the two locations shall include, but not be limited, to the following:-

1) Operating System (OS) for servers, Databases, network equipment, Security Systems, Storage Area Networks.

a. Set up and maintenance of system parameters

b. Patch Management

c. Change Management Procedures

d. Logical Access Controls

e. User Management & Security

f. OS Hardening g. Performance, Scalability and Availability

2) Review of IT Processes and IT Management Tools

a. IT Asset Management

b. Enterprise Management System

c. Help Desk

d. Change Management

e. Incident Management

f. Network Management

g. Backup & Media Management

h. Enterprise Anti-Virus Management

i. Vendor & SLA Management

3) Security Management

a. Security Equipment Configurations & Policies

b. Penetration testing and Vulnerability Assessment (PT / VA) of various security zones.

4) Network & systems audit

a. Network architecture review

b. Network traffic analysis and base lining

c. Virtual LANS (VLANs)

5) Review the existing policy documents of the bank such as IT Policy, IT Procurement Policy, IS Security Policy etc., and suggest required changes.