- General objective
The primary objective of this engagement is to conduct a comprehensive security assessment of the Portal utilized by the CSB. This includes evaluating the portal’s overall security architecture, analyzing user roles and permissions, assessing database security, reviewing the data hosting environment, examining encryption practices for data at rest and in transit, and performing an in-depth source code audit.
- Specific objectives
- Empower CSB in conducting its leading and focal role in supporting public administrations.
- Enhance the security, efficiency, and long-term sustainability of the CSB's portal by identifying vulnerabilities, assessing resource requirements, and recommending cost-effective improvements.
- Anticipated results
Delivery of an Interim and Security Assessment reports by 31/10/2025
- Requirements
- Scope of Work
The vendor is responsible for conducting a comprehensive security audit of the CSB Portal, encompassing all aspects of the system, from user access mechanisms to the underlying infrastructure. Collaboration with representatives from the CSB and Expertise France will be essential throughout the process to ensure a thorough understanding of system requirements and validate findings and recommendations.
Roles and Permissions Management
- Conduct a detailed review of roles, groups, and user permissions to ensure alignment with the principle of least privilege.
- Analyze the use of high-privilege accounts and evaluate user authentication mechanisms.
- Identify risks related to privilege escalation or permission misconfiguration that could lead to unauthorized access to sensitive data.
Data Hosting and Infrastructure Security
- Assess the security of the data hosting environment, including server configurations, network security protocols, firewalls, and segregation of duties.
- Evaluate resilience against threats such as Distributed Denial of Service (DDoS) and phishing attacks.
Database Security
- Perform a thorough assessment of database security, including user access controls, configurations, and encryption mechanisms.
- Validate the adequacy of encryption for data at rest and during transmission.
- Review backup procedures and disaster recovery mechanisms to ensure alignment with best practices for data availability and integrity.
Source Code Security
- Conduct static and dynamic code analysis to identify vulnerabilities like SQL injection, insecure object references, and cross-site scripting (XSS).
- Review third-party modules, libraries, and extensions for potential security risks.
Application Security Testing
- Perform extensive security testing, including:
- Penetration Testing: Simulate real-world cyberattacks to identify vulnerabilities.
- Automated Vulnerability Scanning: Use tools like Nessus or Burp Suite to detect and validate vulnerabilities through manual analysis.
- Common Vulnerability Assessments: Address risks such as Cross-Site Request Forgery (CSRF), insecure deserialization, improper session management, and insufficient logging.
Data Privacy and Compliance
- Ensure compliance with relevant national and international data privacy regulations, such as Government of Lebanon data protection laws and GDPR.
- Evaluate how personally identifiable information (PII) and other sensitive legal data are processed, stored, and protected.
Security Monitoring and Incident Response
- Assess logging and monitoring capabilities to ensure all access, modifications, and security events are captured and stored for analysis.
- Evaluate the authority’s incident response procedures, including breach isolation and post-incident reviews.
- Provide recommendations for improving monitoring systems and implementing a formal incident response plan tailored to the CSB context.
Human resources and financial stability
Human Resource Assessment
- Evaluate the current capabilities of personnel responsible for managing portal, identifying gaps in technical expertise necessary for maintaining system security and operational efficiency.
- Offer recommendations for training programs and capacity-building initiatives to address skill deficiencies.
Financial Analysis
- Analyze the financial requirements for maintaining the portal, including recurring costs for infrastructure, personnel, software updates, and security measures.
- Provide a detailed cost estimation and sustainability plan, outlining strategies to optimize long-term operational costs while ensuring the system's continued effectiveness and reliability.
- Expected Deliverables
The vendor is expected to provide the following deliverables:
Preliminary Assessment Report
To be submitted within 10 days of project initiation, detailing the proposed approach, methodology, and project timeline.
Interim Report
A preliminary document highlighting critical vulnerabilities identified early in the assessment, along with initial recommendations. Includes an early evaluation of the human resources and financial management capacities required for long-term sustainability.
Final Security Assessment Report
A comprehensive report detailing all aspects of the security assessment, including identified vulnerabilities, prioritized mitigation strategies, and sustainability analysis for human resources and financial operations.
Remediation Plan
A clear and actionable roadmap outlining the steps, timelines, and resources necessary to address identified risks and ensure Portal’s security and operational sustainability.
Presentation
A presentation of findings and recommendations delivered to representatives of Expertise France and CSB. This presentation will include specific recommendations for system sustainability, cost analysis, and capacity building to support long-term management.
- Project Plan and duration
The total duration of the project will be 8 to 10 weeks maximum, with the following milestones:
Milestone
Duration
Deliverables
Preliminary assessment
10 days from Kick off
Preliminary report
Interim assessment
4 weeks from Kick off
Interim Findings report
Final Assessment and Action plan
8-10 weeks from kick off
Final Security Assessment Report, Remediation Plan, and
Presentation
- Evaluation
The best value for money is established by weighing technical quality against price on a 60/40 basis.
The quality of each technical and financial offer will be evaluated in accordance with the following award criteria and the weighting:
CRITERIA
WEIGHTS
Requirements and experience
60
Vendor Experience & References
(25)
Technical and Methodology Capabilities
(25)
Proposed delivery timeline
(10)
Price (including TCO)
40
Tenders will be appraised and given a score of up to 100 points according to these criteria.
NB:
- Only tenders with scores of at least 25 points on technical evaluation qualify for the financial evaluation.
- No other award criteria will be used. The award criteria will be examined in accordance with the requirements indicated in the Terms of Reference.
- Place, duration, and terms of performance.
- Hybrid and onsite at Civil Service Board (CSB)
- Start date: 15/8/2025
- Delivery date: 1/10/2025
- Required expertise and profile.
- Demonstrated experience in conducting comprehensive security assessments of Portals platforms, particularly open-source solutions.
- Previous experience with a Lebanese Public entity is highly desired and will count towards the final evaluation.
- Expertise in performing both automated and manual security testing, using recognized tools and methodologies.
- Familiarity with open-source security tools, such as OWASP ZAP, and others.
- Extensive knowledge of database security, application security testing, and network infrastructure.
The proposal should include:
- Technical proposal (in MS Word format) detailing the suggested methodology
- Priced BOQ filled in MS Excel format (as per the provided BOQ template)
- The provided template holds prefilled items that match the requirements of this TOR. Vendors are kindly asked to respect the suggested format.
- Commercial proposal with a filled priced BOQ in MS Excel format.
- Beneficiary profile attached
- MOF and VAT registration number
- Sworn statement on Exclusion Criteria, the absence of conflict of interest.
Please send your proposal by email to Ms. Aya Kassir at the following address:
Submission deadline
All proposals must be submitted no later than 30/7/2025.