African Reinsurance Corporation

Socit Africaine de Rassurance

28th July 2015

REQUEST FOR PROPOSAL ICT AUDIT

BACKGROUND
African Reinsurance Corporation (Africa Re) was established in 1976 by 36 member States of the
African Union and the African Development Bank Group (AfDB). It is the leading reinsurance company
in Africa and the Middle East with diplomatic status in its current 41 African member countries. Its
shareholding is split between African (75%) and Non-African (25%) investors. African shareholding
comprises 41 African states, the AfDB and more than 100 African insurance/reinsurance companies from
the 41 member countries. Non-African shareholding is made up of PROPARCO (subsidiary of the AFD,
France), IRB Brasil Re (leading Brazilian reinsurer), AXA (leading global French insurer) and
FAIRFAX (Canadian group of insurance and reinsurance companies across the globe).
At a time when information and technology are integral to every aspect of business, the need to extract
more value from IT investments and manage an increasing array of IT-related risks has never been
greater. Increasing regulation is also driving heightened awareness amongst boards of directors of the
importance of a well-controlled IT environment and of the need to comply with legal, regulatory and
contractual obligations. In response to these needs, Africa Re is seeking the services of a consulting firm
to undertake a comprehensive ICT audit of its IT systems and infrastructure. The detailed terms of
reference are provided below.

TERMS OF REFERENCE
Africa Re has invested in a IT infrastructure upgrade which, upon completion, will see the corporation
have a primary data centre in Lagos, Nigeria and a redundancy/recovery site in Casablanca, Morocco.
Both of these sites are hosted by 3rd parties. All the six regional offices of Africa Re and two subsidiaries
will connect to the primary data centre for daily business operation and to the recovery site via dedicated
VPN links in case of a disaster . All the core business applications will be implemented at the Primary
site and automatically replicated at the Recovery sites with the data mirrored on a continuous basis. The
regional office locations and subsidiary locations will however maintain network insfrastructure and
communication systems to enable them connect with either of the primary or recovery data centres. The
corporation has also outsourced the hosting of its email system and website to 2 different offshore
companies, each with their own redundancy sites.

T +234-1-461 6820/461 6828/280 0924/280 0925

F + 234-1-280 0074
W www.africa-re.com E info@africa-re.com

Plot 1679, Karimu Kotun St.

Victoria Island,
P.M.B.12765, Lagos, Nigeria

The consultant is expected to review the entire IT system infrastructure and operations at the primary
site, the recovery site and selected regional office locations and assess its robustness in meeting
anticipated objectives. The consultant will be required to adhere to the terms of reference stated below
and where necessary expand the scope. The specific tasks the consultant is expected to carry out include:

The ICT Audit at these locations shall include, but not be limited, to the following:1) IT Governance Audit
a) Alignment of IT and business strategy
b) Delivery of IT services in line with business requirements
c) Long term and short term IT strategies
d) Review of IT Budgets for the last three years
e) IT training schedules
f) Assessment of IT Steering Committee activities
g) IT skills assessment
2) Operating System (OS) for applications, databases and network equipment
Review
a) Logical access controls
b) User access management & security
c) Set up and maintenance of system parameters
d) Patch and update management
e) Benchmarking of security configuration
f) Network access control
g) Intrusion prevention & detection systems
3) Applications and databases security review
a) Logical access controls
b) User access management & security
c) Set up and maintenance of system parameters
d) Patch and Update Management
e) Benchmarking of security configuration
4) Review of IT Processes and operations
a) IT asset management (acquisition and disposal of IT equipment)
b) Help Desk
c) Information systems acquisition, development and maintenance
d) IT incident management
e) Network performance management
f) Backup & media management
g) Enterprise antivirus management
h) Vendor selection
i) Third party service delivery management
5) Security Management
a) IT security policies alignment with ISO27001:2013
b) Information security roles and responsibilities
c) Vulnerability management practices
d) Applications security configurations & management
e) LAN and Wireless LAN security
f) Mobile computing security review

2/4

g) Physical security review

h) Security training and awareness
6) IT continuity audit
a) BCM/DRP plans and their testing
b) DRP sites and locations
c) Communication and awareness of BCM/DRP
7) Review the existing policy documents of the corporation such as IT Policy, IT
Standard Operating Procedures, IT Security Policy etc., and suggest required
changes.
The audit exercise is anticipated to take place during the month of October 2015, a time when the
ongoing system upgrade is expected to have been completed.

DELIVERABLES
The prime deliverable is a comprehensive ICT Audit Report that includes the following at the minimum:

Executive Summary
Strong points identified
Weaknesses Identified
Conclusions
Recommendations for improvement
Action plan to guide the implementation of the recommendations

PROJECT MILESTONES
Inception Report: The consultant will submit an inception report within 7 days after commencement and
after consultations with key stakeholders.
Draft Report to be submitted midway through the project. The draft report should have detailed analysis
of the project status, a proposed plan for presentation, discussion and adoption of the recommendations.
Final Report to be submitted 1 week after receiving comments from the corporation.

CLARIFICATION AND AMENDMENT OF REQUEST FOR PROPOSAL

Consultants may request for clarification only up to 7 days before proposal submission date. Any request
for clarification must be sent in writing by paper mail, facsimile or email to the corporation address
indicated below. The corporation will respond by paper mail, facsimile or email to such requests and will
send written copies of the response (including an explanation of the query but without identifying the
source of the inquiry) to all invited consultants who intend to submit proposals.
At any time before the submission of proposals, the corporation may for any reason, whether at its own
initiative or in response to a clarification requested by an invited firm, amend the Request for Proposal.
Any amendment shall be issued in writing through addenda. Addenda shall be sent by paper mail,

3/4

facsimile or email to all invited consultants and will be binding on them. The corporation may at its
discretion extend the deadline for the submission of proposals.
PROPOSAL PREPARATION
Invited consulting firms should submit written proposals that include the following details:
a) Companys Identification Number
b) A brief description of the firms organization and an outline of recent experience on assignments
of similar nature. For each assignment, the outline should indicate inter alia, the profiles of the
proposed staff, duration of the assignment, contract amount and the firms involvement.
c) Any comments or suggestions on the terms of reference, a list of services and facilities to be
provided by the corporation
d) A description of the methodology and workplan for performing the assignment
e) A list of the proposed staff team by specialty, the tasks that would be assigned to each staff team
member and their timing
f) CVs for proposed professional staff. Key information should include professional qualifications,
number of years working for the firm and degree of responsibility held in various assignments
during the last 5 years
g) Estimates of the total staff input needed to carry out the assignment
h) Activity (work) schedule
i) Proposed fees (broken down by activity)

PROPOSAL SUBMISSION
The original proposal shall be prepared in indelible ink. It shall contain no interlineations or overwriting,
except as necessary to correct errors made by the Consultants themselves. Any such corrections must be
initialed by the person authorized to sign the proposals.
The Proposals must be delivered to the submission address indicated below and received by Africa Re no
later than 25th August 2015, or any extension to this date as the case may be. Any proposal received by
the Africa Re after the deadline for submission shall be rejected.
Submission Address:
The Tender Committee
African Reinsurance Corporation
Plot 1679 Karimu Kotun Street
Victoria Island PMB 12765 Lagos, Nigeria
Telephone: (+234-1) 461 6820/461 6828/280 0924/280 0925
Fax: (+234-1) 280 0074
Email: tender@africa-re.com
Yours Sincerely

Ken Aghoghovbia
Deputy Managing Director/COO

4/4