Background
Linkages Across the
Continuum of HIV Services for Key Populations Affected by HIV – or “LINKAGES” –
is USAID’s
first global project dedicated to key populations (KPs). LINKAGES aim to
accelerate the ability of partner governments, key population civil
society organizations and the private sector to more effectively plan, deliver
and optimize comprehensive, scaled HIV/AIDS prevention, care and treatment
services that reduce HIV transmission among KPs and their sexual partners and
improve the quality of life for those who are HIV positive.
LINKAGES is led by FHI
360, in partnership with Pact, IntraHealth International, and the University of
North Carolina (UNC) at Chapel Hill. The
project also taps into and amplifies local capacity for long-term
sustainability and country ownership of key population programming. To that
end, LINKAGES engages a diverse array of experienced organizations and special
experts already working with key populations in Indonesia. LINKAGES prioritize programming that aligns
with PEPFAR 3.0’s five key agendas – impact, efficiency, sustainability,
partnership and human rights – to achieve global 90-90-90 goals, sustainable
programming, and an AIDS-free generation.
Accordingly, LINKAGES
focus its resources on two priority areas – Jakarta and Papua – where the
potential for epidemic control is greatest.
Under the leadership of the GOI, we also advance technical innovations
that are evidence-based, but may not yet be enshrined in policy or practice..
LINKAGES will accelerate the ability of governments, key population leaders,
organizations working with key populations, and private-sector providers to
plan and implement services that reduce HIV transmission among key populations
and their sexual partners and extend the lives of those already living with
HIV. The key elements of the FHI 360-led team’s strategic and technical
approach are:
1.
Identifying key populations and locales and comprehensively
assessing risk,
2.
Diagnosing “leaks” and revealing access barriers within the
HIV services cascade,
3.
Scaling up “what works” while innovating to ensure the most
strategic use of resources and access to newly emerging technologies,
4.
Addressing structural barriers and transforming local KP
organizations,
5.
Ensuring interventions are sustainable over the long term,
and
6.
Supporting the mainstreaming of human rights, gender and
competency and capacity development.
As part of approach
point 3, Scaling up “what works” while innovating to ensure the most strategic
use of resources and access to newly emerging technologies—LINKAGES Indonesia
has been supporting government of Indonesia on implementing technology emerging
approach for better data management and good governance. During April 2016 to
September 2018, Linkages Indonesia has developed two software/applications,
such as:
a.
Prevention Area, Linkages has provided TA and support to Provincial Aids Commission and district Aids
Commission, including TA-SDI for all CSO who working in Jakarta. Now, 78% of CSO who working in
Jakarta has received benefit from LINKAGSE TA, they are using an Integrated application system that called Community Outreach Management System
(COMS) or also knows as “Outreach
databank”. The application is running on the URL: http://databank.jakartaaids.
b. Treatment Area, Linkages also has been providing TA and support to
Provincial Health Office (PHO) and 5 District health Office (DHO), including
TA-SDI for all CSO who working in Jakarta. Now, 100% of CSO who working in
Jakarta has received benefit from this TA, they are using an Integrated
application system that called “Jak-track” application system or in previous
name also knows as “DOKLING” system.
c. Internal Management Information System, beside of developing
applications to support of government, Linkages also has been using a web base
application system that is called “Client Management System” or “CMD”. This
application only for internal reporting between CSO Partners and LINKAGES, but
it is strategic because collect individual data as well.
During FY 2016,
LINKAGES support focused on Backend development for both COMS/Databank and
Jak-track/DOKLING and CMD applications system. Meanwhile, on fiscal year 2018
(FY18/COP17), LINKAGES has had upgrade those system with “reporting, analysis
and front-end development. For FY19, LINKAGES plan to focus on “security and
safety system” not only for software/application script but also for server
security system. Base on those purpose, LINKAGES
plan to hire a individual White Hat Hacker (WHH) to do penetration test and provide
feedback/advise/suggestion for maximum applications protection.
2. Objectives/Deliverable
-
Conducting Penetration test (Pen-test) for Databank (http://databank-kpap.
-
Providing Report, finding and advise to improving all those
application to ICT4D and or LINKAGES team.
3. Activities
The incumbent will work under the supervision of the LINKAGES ICT4D
Advisor, Capacity Development & Partner Engagement (CD&PE) and Clinical
Service Unit (CSU) team, the incumbent will responsible for a series daily
activity including but not limited to:
3a. Domain
Infrastructure Penetration Testing, including but not limited to:
1.
Internal:
Through penetration testing, evaluate
possibility of penetrating Client’s information system from a malicious source
such as:
a)
Internet
b)
3rd party networks;
c)
Other points of entry if exists.
d)
Internet banking /application system
e)
Corporate Portal Site
f)
Other points of entry if exists.
g)
Analyze security of Client’s Internet domains related to
Internet based services. Wireless endpoint devices on network/accessible in the
area;
h)
The wireless Access Points accessible in the area.
2.
External:
a)
What devices are discoverable on the network;
b)
What network infrastructure is physically accessible;
c)
The model and firmware versions of network devices to see if
vulnerabilities exist;
d)
What ports are open on network devices;
e)
What services are available;
f)
What authorization mechanisms (password length/complexity)
are in place;
g)
What authentication mechanisms are in place; and
h)
What local user accounts are on devices.;
3b. Operating System Testing, including but not
limited to:
a)
The version and service pack levels of identified devices;
b)
What ports are open on servers and workstations;
c)
What privileged accounts exist on servers and workstations;
d)
What privileged groups exist on servers and workstations; and
e)
What local and network user accounts exist.
f)
Antivirus controls are in place and up to date;
g)
Firewall controls are in use on local systems;
h)
Security auditing is being conducted on local systems and
servers;
i)
Authorization mechanisms in place (password
length/complexity) are adequate;
j)
Rogue services are running on servers; and
k)
Unauthorized applications are running on servers /
workstations.
3c. Security Devices authentication and authorization
services but not limited to:
a)
What security devices are discoverable on the network;
b)
What security devices are physically accessible;
c)
What access is possible on security devices; and
d)
The model and firmware versions of security devices to see if
vulnerabilities exist.
e)
Security incidents and concerns are logged, monitored and
reported;
f)
Controls exist to deter or prevent unauthorized access;
g)
Antivirus controls are in place and whether the virus
signatures are up to date; N
h)
Network filtering devices exist.
i)
Check for adequacy of rule sets, access control lists, etc..
The version and service pack levels of identified devices; and what ports are
open on servers and workstations; and what privileged accounts exist on servers
and workstations
3d. Application Penetration Testing, include internal
and external web:
a)
Black-box and white-box penetration test of Client’s
application, include web application that conforms to OWASP TESTING GUIDE 2013.
b)
The testing shall also cover Client’s internet-based
application and security of soft token, including the following tests:
ü Test if token value is
expired within expected duration,
ü Test soft token
algorithm for any attacks – e.g. target cryptography,
ü Test soft token
application for common application vulnerabilities,
ü Test possibility of
bypassing token authentication in Internet Based application through fuzzing of
input.
4.
Expected Output:
1. Documentation of Case Finding of Databank, Jak-track and CMD
security system
2. Technical Brief Document for Suggestion, Advise and Recommendation
for safety and security for Databank, Jak-track and CMD applications system..
5. TIME SCHEDULE
|
No
|
Type of Testing
|
Time Estimation
|
Duration
|
Note
|
|
1
|
Operating System
|
The First week after contract Signed
|
5 days
|
1 consultant
|
|
2
|
Internal and Domain Infrastructure Penetration Testing
|
The second week after contract
Signed
|
5 days
|
1 consultant
|
|
3
|
Security Devices
|
The third week after contract Signed
|
5 days
|
1 consultant
|
|
4
|
External and Domain Infrastructure Penetration Testing
|
Maximum one-month week after contract Signed
|
5 days
|
1 consultant
|
|
5
|
Application Penetration Testing (include internal and external web
application)
|
Maximum Two-month week after contract Signed
|
20 days
|
1 consultant
|
|
6
|
Databases
|
A week after contract Signed
|
It should Inclusive in
internal pen-test
|
|
6. Monitoring and Evaluation
Monitoring is the process of
collecting and analyzing information about the implementation of a project to
determine whether activities are being carried out as planned. Evaluation is the process of
collecting and analyzing information at regular intervals about the
effectiveness and impact of the project.
ICT4D Development Advisor will be responsible
to evaluate every stage of the development process and the agreed
deliverables. Incumbent (consultant) should
present the planning LINKAGES team prior to implement/visit to government office
and or access computer/server/hosting device.
After get feedback from WHH consultant, ICT4D
advisor with counterpart/government/ software developer consultant will be do
live testing the application, if there are any kind of input from WHH, the
consultant will communicate, suggest, advise and or recommend the software developer
to refine the system, particularly in safety and security aspect.
7. Sample Monitoring Matrix
|
Activity
|
Process
Outcomes and Indicators
|
Target
|
Source
of Data
|
Frequency
of Reporting
|
|
|
1
|
Physical testing
Server in Government Network
|
Databank Server &
Jak-track Server
|
2
|
Offline
|
Monthly
|
|
2
|
Physical testing
Server in FHI360 VPS network
|
CMD server
|
1
|
Offline and or Online
|
Monthly
|
|
3
|
Software testing for
App in Government Network
|
Databank Server &
Jak-track Server
|
2
|
Offline
|
Monthly
|
|
4
|
Software testing app
in FHI360 network
|
CMD server
|
1
|
Online
|
Monthly
|
|
5
|
Final Report
|
# of final report
|
1
|
Completion Reports
|
Monthly
|
|
6
|
Present Final Report
|
Formal Meeting with
LINKAGES and software developer consultant
|
1
|
Offline
|
Monthly
|
8. Deadline and suSubmission
If
you think you match with this criterion and interesting to do this challenge
and oportunity please submit your CV to ProcurementIndo@fhi360.org . The deadline for
this application is on 31 January
2019. Only shortlist candidate will be invited to next step process.
__._,_.___
No comments:
Post a Comment