Professional Documents
Culture Documents
Statement of Work
1. Background
2. Scope
This Statement of Work (SOW) describes the requirements for the Risk Assessment
Services.
The following services are considered to be within the scope of this tender:
V8
Page 1 of 9
Statement of Work
Risk Assessment Services
Dated 8.1.2015
The IAEA is not seeking a one size fits all risk assessment service but rather a
multi-tiered risk assessment approach that can be used for varying project sizes. All
deliverables must be based on internationally accepted standards.
3. Requirements
3.1. Assist in the development and implementation of a sustainable
information security risk assessment process and related procedures
3.1.1 Develop an initial baseline of an Agency-wide threat statement and
related process to regularly review and update this threat statement.
3.1.2 Provide substantive advice and support on establishing standardized,
consistent, repeatable, update/revise-able assessment processes that
produces comparable results between assessments.
Multiple tiers, or levels and depth of a risk assessment, are defined by:
a)
b)
c)
d)
e)
V8
Page 2 of 9
Statement of Work
Risk Assessment Services
Dated 8.1.2015
V8
10 major risk assessments for larger projects (typically taking more than 10
days of total effort);
30 medium risk assessments for activities that cover smaller projects and
application releases (typically taking up to 10 days of total effort);
100 small risk assessments covering revisions/changes to existing
systems/applications (typically taking up to 2 days of total effort).
Page 3 of 9
Statement of Work
Risk Assessment Services
Dated 8.1.2015
The IAEA expects 50% of the above risk assessments to be performed on-site.
3.2.6 The Contractor shall provide services on request. The IAEA understands
that there may be circumstances where the Contractor does not have
appropriately qualified resources available for a specific service request
on short notice. For these reasons, the IAEA will clearly identify the
priority of all service requests. The response time required for the supplier
of availability to provide the service based on the priority of the request.
Priority
Response time
Initiating work
Within 8 business
hours
Within 2 business
days
Normal
Within 16 business
hours
Within 10 business
days
In the event of conflict between the standards listed above and the content of this
statement of work, the content of this statement of work shall take precedence to
the extent of the conflict.
V8
Page 4 of 9
Statement of Work
Risk Assessment Services
Dated 8.1.2015
3.5. Place
3.5.1 The location for on-site services is the Vienna International Centre,
Vienna Austria.
3.5.2 The initial work and knowledge exchange will take place in Vienna.
3.5.3 Risk assessments that are deemed highly confidential or in other ways
highly sensitive will be performed on-site. This will be identified in the risk
assessment request.
3.5.4 All other risk assessments may be performed at the Contractors location.
3.6. Qualifications
3.6.1 The Contractor shall have a minimum of five years of experience providing
the services described in the Statement of Work.
3.6.2 The Contractor shall have a proven record of at least five satisfied
customers to whom the relevant services were provided within the past
two years.
3.6.3 The Contractor shall provide consultants with the following profiles:
3.6.3.1
3.6.3.2
3.6.3.3
3.6.3.4
3.6.3.5
V8
Statement of Work
Risk Assessment Services
Dated 8.1.2015
3.6.3.6
V8
Page 6 of 9
Statement of Work
Risk Assessment Services
Dated 8.1.2015
5. IAEA Responsibilities
The IAEA will have the following responsibilities:
V8
Page 7 of 9
Statement of Work
Risk Assessment Services
Dated 8.1.2015
V8
Statement of Work
Risk Assessment Services
Dated 8.1.2015
V8
Page 9 of 9