1. Background and organizational context
The International Initiative for Impact Evaluation (3ie) is a mission-driven non-profit organization dedicated to using evidence to transform people’s lives in low- and middle-income countries (L&MICs). We collaborate with decision-makers in governments, foundations, NGOs, development and research organizations globally to meet their evidence needs and facilitate the use of evidence in their work.
3ie has offices in India, the United Kingdom, and the United States, with staff based across the globe — including staff engaged through Employer of Record (EOR) arrangements.
3ie's technology environment spans multiple cloud platforms, SaaS applications, and externally accessible digital assets. The organization is subject to data privacy obligations under multiple regulatory frameworks, including the EU/UK General Data Protection Regulation (GDPR), and India's Digital Personal Data Protection (DPDP) Act, 2023.
In order to proactively understand and manage its cybersecurity risk posture, 3ie seeks to engage a qualified, CISA-certified firm to conduct a comprehensive Cybersecurity Risk Assessment across its core technology environment.
2. Objectives
The primary objectives of this engagement are to:
- Identify and evaluate key cybersecurity risks across 3ie's defined systems, applications, and environments.
- Assess governance practices, policies, and risk management processes against the NIST Cybersecurity Framework (CSF) 2.0.
- Evaluate technical safeguards, security configurations, and identity and access management controls within in-scope systems.
- Provide risk-based observations mapped to NIST CSF functions and aligned to India's DPDP Act controls.
- Deliver a prioritized, actionable remediation roadmap to support management's risk mitigation decisions.
3. Scope of work
In-scope systems and environments
The assessment shall cover the following systems and environments:
| Category | Details |
| Network environment | 3ie's internal network infrastructure and connectivity |
| Core business applications | Birdview PSA, Time Reporting System (TRS), SmartSimple GMS, 3ie Connect (Sage/Salesforce integration) |
| CRM and productivity platforms | Salesforce CRM, Microsoft 365 (M365), Google Workspace |
| Hosting and infrastructure | AWS, Linode, and Acquia hosting environments, Github; organization-managed workstations, laptops, and servers |
| Public digital assets | 3ieimpact.org website and other publicly accessible digital assets such as DEP, EGM (and EGM Open Access), RIDIE, TREE toolkit, Remote Sensing inventory and PIR methods menu |
| Governance documentation | Relevant cybersecurity policies, procedures |
4. Required activities
The selected firm shall perform the following activities as part of the engagement:
- Conduct structured risk discovery interviews with key 3ie personnel and/or relevant service providers to understand governance, risk management practices, and operational workflows related to in-scope systems.
- Review relevant cybersecurity policies and procedures, evaluating documentation against the NIST CSF Quick Start Guide (QSG) for small businesses.
- Work with management to establish and validate a structured inventory of in-scope systems, SaaS applications, and technology assets — identifying those that handle sensitive personal data or underpin critical operational functions.
- Perform a targeted review of security configuration settings within defined systems, including:
◦ Organization-managed workstations and endpoints
◦ Microsoft 365 and Google Workspace tenant configurations
◦ Identity and access management posture
◦ Endpoint security coverage - Conduct vulnerability and security configuration analysis on 3ie-managed workstations, laptops, and servers.
- Conduct an Open-Source Threat Intelligence (OSINT) review of 3ie's publicly-facing domain(s) to evaluate observable external exposure.
- Map all identified observations to the NIST CSF 2.0 core functions (Govern, Identify, Protect, Detect, Respond, Recover) and, where applicable, to India's DPDP Act controls.
- Evaluate each observation using a structured likelihood and impact model to determine risk ratings (Low / Moderate / High).
5. Deliverables
The selected firm shall provide the following deliverables to 3ie upon completion of fieldwork:
# | Deliverable | Description |
1 | Executive summary | A concise summary in plain language, suitable for organizational leadership and the Board, describing the overall cybersecurity posture and key risk findings. |
2 | Detailed risk assessment report | Full report with all observations mapped to NIST CSF 2.0 functions and tied to DPDP Act controls; delivered in both PDF and Excel formats for management tracking. |
3 | Risk-based recommendations | Specific, actionable recommendations for each identified risk observation, with clear rationale and suggested ownership. |
4 | Prioritized remediation roadmap | A roadmap categorizing recommended actions into short-term (0–3 months), medium-term (3–12 months), and long-term (12+ months) implementation horizons, informed by complexity and security benefit. |
5 | Final debrief presentation | A presentation and discussion session delivered to relevant 3ie stakeholders, walking through key findings, risk ratings, and the recommended roadmap. |
6. Regulatory and compliance context
Given 3ie's global operations and data processing activities, the selected firm must demonstrate awareness of and, where applicable, incorporate the following regulatory frameworks into the assessment:
| Regulation / framework | Relevance to 3ie |
| EU/UK GDPR | Staff and beneficiary data processing across European and UK operations |
| India DPDP Act, 2023 | Primary jurisdiction for 3ie's India office; report observations must be tied to DPDP Act controls |
7. Minimum qualifications and experience
Firms submitting a proposal must demonstrate the following minimum qualifications:
- Active CISA (Certified Information Systems Auditor) certification held by the engagement lead or senior team member.
- At least one team member holding a Certified Ethical Hacker (CEH), CompTIA Security+, or equivalent technical certification.
- Demonstrated experience conducting cybersecurity risk assessments for nonprofit organizations, INGOs, or similarly distributed multi-jurisdiction entities.
- Familiarity with the applications and platforms in scope (Microsoft 365, Google Workspace, Salesforce, AWS, and similar SaaS environments).
- Experience supporting organizations subject to multi-jurisdiction data privacy obligations (GDPR, DPDP Act, PIPEDA).
- Ability to work entirely remotely with a geographically distributed client team.
8. Proposal submission requirements
Proposals must be submitted to skhandelwal@3ieimpact.org no later than 21 April 2026. Late submissions will not be considered.
Proposals must include the following sections and information:
- Cover letter confirming the firm's interest and ability to meet all minimum qualifications outlined in Section 7.
- Firm background and experience, with specific reference to nonprofit or INGO clients and comparable cybersecurity risk assessment engagements (with anonymized or named references as appropriate).
- Proposed methodology and workplan, including a description of each phase of the engagement, key activities, and an indicative timeline.
- Engagement team composition: names, roles, and current certifications of all personnel assigned to this engagement.
- Proposed fees: a fixed-fee quote for the core engagement as described in this Terms of Reference.
- At least two references from comparable engagements, including contact information.
