Cybersecurity Risk Assessment
Deadline: 21 April 2026
Background and organizational context
The International Initiative for Impact Evaluation (3ie) is a mission-driven non-profit organization dedicated to using evidence to transform people’s lives in low- and middle-income countries (L&MICs). We collaborate with decision-makers in governments, foundations, NGOs, development and research organizations globally to meet their evidence needs and facilitate the use of evidence in their work.
3ie has offices in India, the United Kingdom, and the United States, with staff based across the globe — including staff engaged through Employer of Record (EOR) arrangements.
3ie's technology environment spans multiple cloud platforms, SaaS applications, and externally accessible digital assets. The organization is subject to data privacy obligations under multiple regulatory frameworks, including the EU/UK General Data Protection Regulation (GDPR), and India's Digital Personal Data Protection (DPDP) Act, 2023.
In order to proactively understand and manage its cybersecurity risk posture, 3ie seeks to engage a qualified, CISA-certified firm to conduct a comprehensive Cybersecurity Risk Assessment across its core technology environment.
Objectives
The primary objectives of this engagement are to:
- Identify and evaluate key cybersecurity risks across 3ie's defined systems, applications, and environments.
- Assess governance practices, policies, and risk management processes against the NIST Cybersecurity Framework (CSF) 2.0.
- Evaluate technical safeguards, security configurations, and identity and access management controls within in-scope systems.
- Provide risk-based observations mapped to NIST CSF functions and aligned to India's DPDP Act controls.
- Deliver a prioritized, actionable remediation roadmap to support management's risk mitigation decisions.
Required activities
The selected firm shall perform the following activities as part of the engagement:
- Conduct structured risk discovery interviews with key 3ie personnel and/or relevant service providers to understand governance, risk management practices, and operational workflows related to in-scope systems.
- Review relevant cybersecurity policies and procedures, evaluating documentation against the NIST CSF Quick Start Guide (QSG) for small businesses.
- Work with management to establish and validate a structured inventory of in-scope systems, SaaS applications, and technology assets — identifying those that handle sensitive personal data or underpin critical operational functions.
- Perform a targeted review of security configuration settings within defined systems, including:
- Organization-managed workstations and endpoints
- Microsoft 365 and Google Workspace tenant configurations
- Identity and access management posture
- Endpoint security coverage
- Conduct vulnerability and security configuration analysis on 3ie-managed workstations, laptops, and servers.
- Conduct an Open-Source Threat Intelligence (OSINT) review of 3ie's publicly-facing domain(s) to evaluate observable external exposure.
- Map all identified observations to the NIST CSF 2.0 core functions (Govern, Identify, Protect, Detect, Respond, Recover) and, where applicable, to India's DPDP Act controls.
- Evaluate each observation using a structured likelihood and impact model to determine risk ratings (Low / Moderate / High).
Proposal submission requirements
Proposals must be submitted to skhandelwal@3ieimpact.org no later than 21 April 2026. Late submissions will not be considered.
Proposals must include the following sections and information:
- Cover letter confirming the firm's interest and ability to meet all minimum qualifications outlined in Section 7.
- Firm background and experience, with specific reference to nonprofit or INGO clients and comparable cybersecurity risk assessment engagements (with anonymized or named references as appropriate).
- Proposed methodology and workplan, including a description of each phase of the engagement, key activities, and an indicative timeline.
- Engagement team composition: names, roles, and current certifications of all personnel assigned to this engagement.
- Proposed fees: a fixed-fee quote for the core engagement as described in this Terms of Reference.
- At least two references from comparable engagements, including contact information.
For detailed information, please check the complete version of the RFP on the link below
https://3ieimpact.org/careers/cybersecurity-risk-assessment