National Consultant: ICT Systems Security Expert

Result of Service• Inception Meeting Conducted and Inception Report Finalized & Submitted to UNODC, incorporating scope, timelines, and methodology agreed with the Judiciary. • Capacity-Building Training Sessions Completed and Delivered for Developers/Database Administrators, covering secure development, database/application security, data center security, SDLC reviews, and data privacy compliance. • Cybersecurity Team Training Finalized and Delivered, including ethical hacking, system audits, SIEM/log correlation, digital forensics, and development of security policies, procedures, and incident response plans. • System Administrators Training Completed and Delivered, focusing on on-premise and cloud server security, hardening techniques, encryption practices, and container/Kubernetes security. • Network Administrators Training Successfully Conducted and Finalized, with delivery of sessions on network security architecture, firewalls, IDS/IPS, secure remote access, DDoS protection, and Zero Trust Architecture recommendations. Work LocationNairobi, Kenya Expected duration30 Working Days; 01 October - 30 November 2025 Duties and Responsibilities1. Background of the Assignment As the global guardian of the United Nations standards and norms in Crime Prevention and Criminal Justice, UNODC seeks to strengthen the rule of law through the prevention of crime and the promotion of fair, humane, and accountable criminal justice systems. To do this, UNODC provides Member States with expertise and advice to develop effective and responsible crime prevention strategies and policies and to build the capacity of their criminal justice systems to operate more effectively within the framework of the rule of law, while promoting human rights and protecting vulnerable groups. Within the framework of the Crime Prevention and Criminal Justice Programme, UNODC’s project titled “Programme for Legal Empowerment and Aid Delivery (PLEAD) Phase II, and seeks to “Reinforce the rule of law, improve access to justice, increase efficiency and accountability in the justice system and use of technology as an enabler of justice” while addressing capacity needs and persistent bottlenecks affecting service delivery in the justice sector, advance digitalization to streamline the administration of justice and countering corruption to improve access to justice for all Kenyans, including those at risk of exclusion and marginalization. The PLEAD II component implemented by UNODC targets support to the following institutions in the justice chain (national partners): National Council on the Administration of Justice (NCAJ), Judiciary, Office of the Director of Public Prosecutions (ODPP), Probation and Aftercare Service (PACS), Witness Protection Agency (WPA), Directorate of Children Services (DCS), Ethics and Anti-Corruption Commission (EACC), Kenya Prisons Service (KPS) and National Police Service (NPS). On the other hand, the United Nations Development Programme (UNDP) will support Civil Society Organisations (CSOs) through its flagship Amkeni Wakenya facility. 2. Purpose of the Assignment Judiciary systems are high-value targets for cyberattacks due to the sensitive and confidential data they handle. Breaches could lead to loss of trust, delays in justice, and legal repercussions. Currently, there are gaps in structured training and incident response preparedness across the Judiciary’s ICT workforce. System developers, administrators, network engineers, and cybersecurity officers require specialised training to secure digital justice infrastructure effectively. 3. Specific Tasks to be performed by the consultant: The consultant will work under the overall supervision of the Head of the Crime Prevention and Criminal Justice Programme, UNODC ROEA, direct supervision of the Programme Manager in coordination with the Programme officers and work closely with the Judiciary in performing the following substantive duties and responsibilities. In this regard, the UNODC seeks to strengthen the Judiciary's ICT systems through enabling the development of a security by design capacity building model with the following objectives: a. Build capacity in secure system development and Security by Design b. Train system administrators on server and infrastructure hardening c. Equip network engineers with skills to protect the Judiciary’s network perimeter d. Confidence building & empowerment of cybersecurity staff to carry out audits, ethical hacking, and incident response. The consultant shall perform the following tasks: a. Inception Meeting and Report: Undertake an inception meeting with the relevant stakeholders at the Judiciary to review the scope, timelines and methodology of work. Draft and submit to UNODC the inception report. b. Capacity building in Security-by-Design and Cybersecurity will be separately undertaken for four different target beneficiaries as identified below: 1. Developers/ Database administrators on various components identified below: i. Application and Database Security by Design  Secure development of web-based systems, including practical elements focused on preventing vulnerabilities such as Cross-Site Scripting (XSS), SQL injection (SQLi), and other common web attacks.  Identity & Access Management (IAM), including: • Role-Based Access Control (RBAC), MFA, and least privilege enforcement. • Session management & credential storage best practices. ii. Data Center Security (Physical & Logical), including: • Review of access controls, surveillance, environmental controls, and redundancy. • Data encryption (at rest & in transit), backup security, and key management. iii. Secure Software Development Lifecycle Reviews, including: • Threat modelling for CTS, e-Filing, Jumuika ERP, and e-Payments. • Code review & SAST/DAST (Static & Dynamic Application Security Testing). • API security assessment (authentication, rate limiting, input validation). iv. Data Privacy & Compliance, including: • Alignment with Kenya’s Data Protection Act (2019) and GDPR and in collaboration with ODPC (if applicable). • Data classification, retention policies, and audit logging. 2. Cybersecurity team on various components identified below: i. Ethical hacking and system audits by training the cybersecurity team on: • Vulnerability scanning and penetration testing • SIEM systems and log correlation • Data loss prevention and secure auditing • Digital forensics and incident response planning ii. Security Policies & Procedures, including: • Development of Incident Response Plan (IRP), BCP, and DRP. • Security baselines & configuration management. iii. Practical workshops covering: • Secure coding training for Judiciary developers. • Phishing simulation & cybersecurity awareness for staff. 3. System Administrators Team on various components identified below: i. Train the on-Server Security (On-Prem & Cloud), including: • Hardening of physical and virtual servers (OS, middleware, databases). • Cloud security posture review (IAM, encryption, logging, CSPM). • Container & Kubernetes security (if applicable). 4. Network administrators on various components identified below: i. Train the Network Team in Network Security Architecture, including: • Review of network segmentation, firewalls, IDS/IPS, VPNs, and secure remote access. • Recommendations for Zero Trust Architecture (ZTA) implementation. • Assessment of DDoS protection, traffic monitoring, and secure DNS configurations. Qualifications/special skillsAn advanced university degree in Cybersecurity, Computer Science, Computer Engineering or a related field is required (Master’s or equivalent). A first level university degree is required in Civil Engineering or similar fields in combination with two additional years of qualifying experience may be accepted in lieu of the advanced university degree. a. A minimum of five years of progressively responsible professional experience in ICT Security/cybersecurity is required. b. Experience in penetration testing and vulnerability assessments, IDS/Firewalls/VPN Administration, content filers, Security scan tools, Network and Systems, servers etc is required c. Experience in enterprise security document creation is required. d. Experience in designing and delivering employee security awareness training is desirable. e. Experience in developing Business Continuity Plans and Disaster Recover is desirable. LanguagesEnglish and French are the working languages of the United Nations Secretariat. For this position, fluency in oral and written English is required. Knowledge of other United Nations Secretariat languages is an advantage. Additional InformationNot available. No FeeTHE UNITED NATIONS DOES NOT CHARGE A FEE AT ANY STAGE OF THE RECRUITMENT PROCESS (APPLICATION, INTERVIEW MEETING, PROCESSING, OR TRAINING). THE UNITED NATIONS DOES NOT CONCERN ITSELF WITH INFORMATION ON APPLICANTS’ BANK ACCOUNTS.