Statement of Work

Risk Assessment Services

Dated 8.1.2015

Statement of Work
1. Background

The IAEA (Agency) Information and Communication Technology (ICT) infrastructure

and computing environment consists of state-of-the-art hardware and software
platforms.
The IAEA already deploys a risk-management framework on a corporate level led by
the Director Generals Office for Coordination.
The Division of Information Technology (MTIT) and Office of Safeguards Information
and Communication Systems are now developing an Information Security Risk
Management program. One aspect of this program will be the requirement to
perform risk assessments. To effectively implement this requirement, it is necessary
to utilize professional risk assessment services to complement and supplement the
current in-house risk assessment capabilities.
The services shall be used to assess existing, planned and emerging technologies
and practices including:

ICT processes including software development;

ICT architecture and related infrastructure;
Technologies (e.g. system, network, mobile, web, cloud, IT security)
Information handling and management.

2. Scope
This Statement of Work (SOW) describes the requirements for the Risk Assessment
Services.
The following services are considered to be within the scope of this tender:

V8

Assistance in the development and implementation of a sustainable

information security risk assessment process and related procedures;
Performing information security risk assessments;
Information security risk assessment training.

Page 1 of 9

Statement of Work
Risk Assessment Services
Dated 8.1.2015

The IAEA is not seeking a one size fits all risk assessment service but rather a
multi-tiered risk assessment approach that can be used for varying project sizes. All
deliverables must be based on internationally accepted standards.
3. Requirements
3.1. Assist in the development and implementation of a sustainable
information security risk assessment process and related procedures
3.1.1 Develop an initial baseline of an Agency-wide threat statement and
related process to regularly review and update this threat statement.
3.1.2 Provide substantive advice and support on establishing standardized,
consistent, repeatable, update/revise-able assessment processes that
produces comparable results between assessments.
Multiple tiers, or levels and depth of a risk assessment, are defined by:
a)
b)
c)
d)
e)

Overall cost of a project;

Information sensitivity;
System exposure;
Extent of a change and
The initial level of the perceived risk factors for likelihood and
impact.

3.1.3 Provide substantive advice and support on establishing a methodology

integrating:

Capability-based attack tree analysis 1;

Threat statement definition, modelling, and/or

Other IAEA accepted methodology.

3.1.4 Provide substantive advice and support on establishing the complete
documentation process including a risk assessment request, as well
as a reporting and approval process that will enable the IAEA to
review and accept the results. This process will include the following
deliverables:

Quarterly risk assessment plan

Ad hoc risk assessment request form and related procedure

Standard report formats and guidance

Risk assessment acceptance form and related procedure

1

The tool currently used by the IAEA is Amenaza SecurITree

V8

Page 2 of 9

Statement of Work
Risk Assessment Services
Dated 8.1.2015

If the proposed risk assessment processes require specialized software, this

software should be included in the tender.
3.2. Performing information security risk assessments
3.2.1 Perform assigned risk assessments by executing requests to assess and
validate the security posture primarily of either of the existing ICT
environment and practices or of proposed changes to the ICT
environment, but also of information handling practices.
3.2.2 Risk assessments must be led by risk assessment experts supported by
technical subject matter experts knowledgeable in the current and
emerging technical, threat and attack landscape that is relevant to the
subject of the assessment. Assessments will be performed through
collaboration with in-house subject matter experts as appropriate.
3.2.3 Provide guidance and support for security programme initiatives in the
form of expert advice on the high level project definition documentation
and consult with the in-house staff on project effort estimation,
prioritization and sequencing of project tasks as related to the threat and
risk of the project.
3.2.4 The results of all risk assessments shall be submitted using appropriate
standard report formats along with all working papers. Requests may
specify deliverables consisting of a traditional report of the findings, or for
an opinion paper to be provided as a means of differentiating architectural
options and selections based upon specific criteria. The type of report
required will be identified in the service request, such as:

Full report includes all assessment raw data, summary data

and recommendations.

Brief report includes summary data and recommendations.

3.2.5 All deliverables will be marked in accordance with the Agency information
classification requirements and will be protected in accordance with the
Agency standards.
The IAEA estimates the following volume/number of risk assessments to be
performed during a one-year period:

V8

10 major risk assessments for larger projects (typically taking more than 10
days of total effort);
30 medium risk assessments for activities that cover smaller projects and
application releases (typically taking up to 10 days of total effort);
100 small risk assessments covering revisions/changes to existing
systems/applications (typically taking up to 2 days of total effort).
Page 3 of 9

Statement of Work
Risk Assessment Services
Dated 8.1.2015

The IAEA expects 50% of the above risk assessments to be performed on-site.
3.2.6 The Contractor shall provide services on request. The IAEA understands
that there may be circumstances where the Contractor does not have
appropriately qualified resources available for a specific service request
on short notice. For these reasons, the IAEA will clearly identify the
priority of all service requests. The response time required for the supplier
of availability to provide the service based on the priority of the request.
Priority

Response time

Initiating work

High (approximately 5% of the total

volume of requests)

Within 8 business
hours

Within 2 business
days

Normal

Within 16 business
hours

Within 10 business
days

Multiple methods of analysis, such as capability-based attack tree analysis and

threat modelling techniques shall be applied, as appropriate for the subject of the
assessment, i.e. whether it is a software development, existing or emerging
technology.
3.3. Information security risk assessment training
The Contractor shall provide training, training materials and coaching on the
methodologies and tools to enable participants to understand the process,
function effectively as risk assessment team members and to perform or lead risk
assessments.
This training and coaching will need to be performed regularly over the term of
the contract.
3.4. Applicable standards
The following standards apply:

ISO 27000 series

ISO 31000 series

In the event of conflict between the standards listed above and the content of this
statement of work, the content of this statement of work shall take precedence to
the extent of the conflict.

V8

Page 4 of 9

Statement of Work
Risk Assessment Services
Dated 8.1.2015

3.5. Place
3.5.1 The location for on-site services is the Vienna International Centre,
Vienna Austria.
3.5.2 The initial work and knowledge exchange will take place in Vienna.
3.5.3 Risk assessments that are deemed highly confidential or in other ways
highly sensitive will be performed on-site. This will be identified in the risk
assessment request.
3.5.4 All other risk assessments may be performed at the Contractors location.

3.6. Qualifications
3.6.1 The Contractor shall have a minimum of five years of experience providing
the services described in the Statement of Work.
3.6.2 The Contractor shall have a proven record of at least five satisfied
customers to whom the relevant services were provided within the past
two years.
3.6.3 The Contractor shall provide consultants with the following profiles:
3.6.3.1
3.6.3.2
3.6.3.3

3.6.3.4
3.6.3.5
V8

Fluent English for written and oral communications;

Experience in providing consultancy and/or training in a highly
confidential environment;
Industry certifications or similar qualifications appropriate to the
services provided: at least two (2) of those listed below:
Certified in Risk and Information Systems Control (CRISC)
Certified Risk Analyst (CRA);
Professional Risk Manager (PRM)
Information Systems Security Architecture Professional (ISSAP)
SABSA certifications for Security Architects: Foundation, Practitioner,
and Master.
TOGAF 9.1 Certified (The Open Group Architecture Framework)
Experienced SANS instructor or mentor
COBIT 5 certifications (above Foundation)
A minimum of five years of relevant experience;
Experience performing and teaching Risk Assessments and Threat
Modelling methodologies;
Page 5 of 9

Statement of Work
Risk Assessment Services
Dated 8.1.2015

3.6.3.6

Experience in making presentations on security topics at recognized

information security industry conferences.

3.7. Information Handling

It is imperative that sensitive information is properly handled and protected by the
Contractor.
The Contractor shall ensure that:
3.7.1 The IAEA Non-Disclosure Agreement is duly signed and ensure that all
personnel providing services or having access to information related to
the services provided under this contract have signed the IAEA NDA;
3.7.2 Transmission of requests for services or reports and other output that
contain sensitive information shall be encrypted during transmission
between the Contractor and the IAEA. The method of encryption and
management of key material shall be agreed upon by both Parties;
3.7.3 Storage of sensitive information relating to current or past vulnerabilities
or ICT security incidents at the Contractors site shall be protected to
ensure there is no unauthorized release of information. After providing a
copy of all information related to a specific request for services, the
Contractor shall provide assurance to the IAEA that all sensitive
information related to the service request has been permanently removed
from all Contractors systems;
3.7.4 Immediate notification, within 4 hours, must be made to the IAEA if the
Contractor suspects a breach of Agency provided or associated
information.
3.8. Quality assurance and monitoring of work deliverables
3.8.1 All interim drafts and working materials shall be provided in electronic
format and comply with the provided Agency classification and marking
standards.
3.8.2 The IAEA will review and validate these drafts and working materials and
may request clarification and/or correction.

V8

Page 6 of 9

Statement of Work
Risk Assessment Services
Dated 8.1.2015

3.9. Formal acceptance of deliverables

3.9.1 All final deliverables shall be provided in electronic format and comply with
the provided Agency classification and marking standards.
3.9.2 The IAEA will formally accept the final deliverables in writing only.

4. Deliverable data items

The Contractor is expected to be transparent when it comes to reporting and include
documentation on the processes, tools and approaches used to complete the agreed
upon task(s). There shall be no ambiguity related to the deliverables at the
conclusion of the tasks, since they will have been agreed upon in detail prior to
commencement of the engagement.
The Contractor shall deliver the following data items:

Quarterly risk assessment summary report;

Risk assessment reports, working materials and artefacts on completion of
each risk assessment.

5. IAEA Responsibilities
The IAEA will have the following responsibilities:

V8

The IAEA will provide appropriate and necessary technical information;

The IAEA will provide risk assessment team participants and subject matter
experts;
The IAEA will provide timely responses to requests for further information,
review draft documents and provide comments.

Page 7 of 9

Statement of Work
Risk Assessment Services
Dated 8.1.2015

Attachment 1 IAEA Information Technology Environment description

1.1. Information and communication systems are central to the IAEAs mission and daily
business activities, as they are utilized to routinely exchange information among
management and staff, with member states and other third parties in the public and
private sectors. This is accomplished through the normal enterprise business and
communications systems, restricted access and public web and collaboration
services and staff remote access systems that are hosted both internally and in
cloud-based systems. In addition to the systems supporting daily business activities,
the IAEA has information and communications systems supporting the highly
sensitive Nuclear Security and Safeguards activities.
1.2. The information technology infrastructure supports ~3000 users (staff and
consultants) located at one primary location (Vienna International Centre) with four
additional permanent facilities located in Austria, Canada, Monaco and Japan.
1.3. The IAEA has a partially centralized IT management organizational structure.
Centralized IT management provides network, server, end point and security
operations planning and administration as well as software development and
maintenance. Additionally, there are staff members within divisions throughout the
Agency providing software development, server-based applications administration
and local IT client support.
1.4. While all staff members have information security responsibilities, the IAEA has a
number of staff positions dedicated to security functions. These include:
Central Security Coordinator (responsible for all aspects of security except for
Information Security)
Chief Information Security Officer (a newly created position currently being
recruited)
Safeguards Information Security Officer
Security operations groups, supporting
o Access control
o Threat management
o Incident response
o IT security engineering
Information and IT security engineers, supporting
o Risk management
o Security assessments
1.5. The IAEA has a formal information security policy. There are also Agency policies
related to various information security related activities. Additionally, each
Department may also issue additional policies and the Department of Safeguards
has policy and procedures focused on protecting the confidentiality and integrity of
the sensitive information that is central to their mission. On an ongoing basis, both
internal and external audits and security assessments are performed.
1.6. The technology underlying these services that are administered by IAEA staff
includes;

V8

350+ Servers, physical and virtualized (highly virtualized), Windows and

Linux (predominantly Windows);
3000+ client computers (desktop and notebook, Windows, MAC and Linux,
predominantly Windows);
Page 8 of 9

Statement of Work
Risk Assessment Services
Dated 8.1.2015

Mobile devices (Blackberry, iPad, iPhone);

MS Active Directory, multiple forests/multiple domains and additional
standalone domains (such as for the DMZ);
Cisco IPv4 wired and wireless networks, supporting client and server
environments and Internet access;
Network security systems providing access control; threat identification and
blocking; centralized logging and Security Event and Incident Management;
Multiple inter-site network communications connections;
Multiple remote access systems;
On-site dedicated data centers and rooms;
Cloud-based and outsourced resources;
Centralized and local IT Service Desks;
Commercial and bespoke applications, client, client-server and web-based;
Specialized laboratory and remote monitoring applications and systems;
o The deployed remote monitoring systems are out of scope for this
assessment;
Disaster recovery infrastructure;
o Reference 1.3, the functionality of this infrastructure is out of scope.
However, connectivity with the production infrastructure is in scope.
1.7. Application and system development is provided by IAEA staff and consultants for
in-house and technology transfer projects, utilizing multiple platforms and
languages.

V8

Page 9 of 9