TERMS OF REFERENCEFOR THE PROCUREMENT OF TRAINING SERVICES FOR THE IMPROVEMENT OF

HGC'C QUALITY AND INFORMATION SECURITY MANAGEMENT SYSTEM(QlsMS)

I- OBJECTIVE

The procurement of the services of an |SO-certified Training Service Provider aims toconduct trainings for ISO Core Team to improve the HGC's Quality and lnformationSecurity Management System.

A. The Training Service Provider shall focus on the development and implementationof business continuity management system (BCMS) that will ensure the continuityof their core processes allowing the nonstop delivery of products and services to

. tl{its customers. The business continuity management system is aligned with ISOstandards.

B. The Training Service Provider shall combine both security and data privacyprinciples into an integrated course. Key concepts shall be clearly presentedto help build data protection awareness and improve learner behaviors. TheTutor will also guide the documentation and integration of data privacyrequirements under RA 10173 or "Data Privacy Act of 2012" to HGC's QISMS.

II. SCOPE OF WORK

The Training Service Provider shall act as tutor throughout the project and is expected to b

provide and transfer expert knowledge of BCMS and Data- privacy covering itsdevelopment, implementation and integration to HGC's existing QISMS.

Training Course 1 : Bustness Continuity Managemenf System DevelopmentCourse

Training Service Provider shall design and deliver a customized trainingcourse for the HGC QISMS Core Team of Fifty (50) members, which aims to:

1. determine criticality of processes and activities to the organization usinga structured approach;

2. identify consequence of disrupted processes through a comprehensivebusiness impact analysis;

3. understand the mandatory requirements of ISO 22301 BCMSStandards and the strategies for its implementation;

4. reduce the likelihood and consequence of incidents through astructured and coherent risk assessment process;

5. determine business continuity metrics to enable the organization torecover and restore its processes;

6. discuss the governance framework necessary to manage BCMS for theorganization; and

"\

7. draw up an approach in implementing BCMS in the most economicalmanner with all critical processes and stakeholders taken intoconsideration.

1. Topics:

The course outline of the 3-day training and workshop session includes thefollowing topics:

lntroduction and Overview

Defining Business Continuity Management

o Business continuity vs. disaster recovery. Clarifying the terminologyo The importance of a BCMS. Overview of ISO 22301. Obtaining the funding commitmentso Agreeing on critical success factors. Testing deliverables

Analyzi ng The Organizational Contexto Setting goals for the BCMSo Determining organizational risk appetite. Defining the operational environment

Determining the needs of interested parties. ldentifying stakeholders. Analyzing stakeholder needs. Mapping stakeholder relationships

Documenting Business Confin uity Requirements. ldentifying mission-critical continuity needs. Evaluating which functions are criticalo Setting priorities based on time horizonso Prioritizing processes and applications

Pertorming Busrness lmpact Analysis (BIA). ldentifying threats. Assessing risks to the enterprise. ldentifying business-critical activitieso Prioritizing infrastructure requirements

Managing Rr'sks to the Organization. Characterizing riskso Defining and identifying the sources of risko Choosing a risk assessment method. Communicating risks across the organization

J

Dev el o p i n g a p p ro p ri afe responseso Matching the response to the risk. Taking preventive actiono Ensuring appropriate contingencies are in place

Responding to I ncidents. Creating the incident response plan. Capturing the planning output

Creating incident response team charters. Defining roles and responsibilities. Responding to incident scenarios. lnformation directories and equipment inventories

Directing the incident response team. Setting up the command centero Planning and conducting communications. Connecting with emergency services. Team actions following an inciden,

,

Desi g n i ng Co nti n gen cy Arrangementso Establishing a standby site. Site choices: configuration and acquisitiono Choosing suppliers: in-house vs. third-party. Specifying equipment

Selecfing backup and restore strategies. Matching strategy to operational constraintso Meeting the organization's storage requirements for vital records

Resto ri n g co m m u n i c ati o n s an d re cove ri n g u sers

. Determining vital users with the BIAo Rerouting voice, mail, goods deliveryo Eliminating single points of failureo Connecting end userso Meeting varied user-recovery needs

Testing, Rehearsing and lmproving Busrness Continuity Provisions. Rehearsing business continuity arrangements

o Testing plans with a step-by-step process. Developing test scenarios and using test results effectively. Considering the impact of testing on the organization

Maintaining and improving the BCMS

. Applying change control: why and how

. Ensuring normal developments are accounted foro Leveraging test results to improve organizational practiceso Managing organizational change

Training Course 2 : Security Awareness and Data Privacy Training.

Training Service Provider shall design and deliver a customized training course for theHGC QISMS Core Team of Fifty (50) members, which aims to:

The goal is to create informed employees who can identify Pll and securitythreats, understand the risks, and make better data protection decisions thatultimately reduce risks for your organization. Good data protection practices willstrengthen the consumer's trust in your organization and foster customer loyalty.Trust and loyalty are essential to maintaining lifetime, customers.

Topics:

The course outline of the 3-day training and workshop session includes thefollowing topics:

lntroduction and Overview

HGC Core Team must maintain policies and internal controls that ensure thecompany is complying with key laws and regulations on an ongoing basis. Keypolicies and internal controls include:

1. External privacy statements provided to consumers and others regarding thecompany's collection and use of data, including:

. website privacy policies;

. mobile app privacy policies; and

. policies that apply to offiine collection and use of data.

2. lnternal privacy policies and procedures, such as those that govern how thecompany collects, uses, protects, retains and shares consumer and employeepersonal information.

3. Policies and procedures related to privacy and security breaches, such asincident:

. response plans and procedures; and

. reporting and tracking tools.

4. lnternal reporting mechanisms for:. communicating privacy concerns; and. reporting to the board of directors or senior management.

5. External reporting mechanisms for reporting privacy:o issues to law enforcement or regulators; and

. risks to the Securities and Exchange Commission.

6. Policies and procedures that address communicating with persons whosepersonal information the company has collected, such as:

o personal information access and correction policies; ando procedures for handling privacy complaints.

7. Policies that address the use of company lT and communications resources,such as:

. acceptable use of company lT systems

. social media policies

. bring your own device policies

8. Tools that address managing privacy risk and assessing program success,including:

. privacy by design policies and practices

. risk assessment tools;

. privacy impact assessments; ando privacy measures.

9. Data governance practices and policies that guide compliance and addressdata privacy regulations, such as:

. records retention schedules'o records disposal policies and procedures; and. records storage policies and procedures

10. lnternal policies that address the governance of corporate crown jewel(intellectual capital) data.

11. Supplier, vendor and other third-party privacy requirements.

12. Controls directed to tracking and complying with any jurisdiction-specificrequirements, such as registering with foreign data protection authorities.

III. CRITERIA FOR SELECTION

The committee shall decide on the best technical specification offer that will be based on thefollowing criteria:

Criteria Percentage

A. Technical Proposal

70%1. Quality of Personnel to be Assigned 30%

2. Firm Experience & Capability 30%

3. Plan of Approach & Methodology 40%

B. Cost Proposal 30%