Sample ToR for organizational security support

Organizational Information Security Development for ______________

with the engine room


The engine room will work with ______________ to improve security practices within the organization while taking into account team dynamics, priority weakness areas, and the productivity needs of  ______________. This process will start in ______ with interviews of key staff, in-person consultations of as many staff as is feasible, and awareness raising at the ______________. By ______, the engine room will develop a draft strategic plan for review by the ______________ operational management team. By the end of _____, the engine room will finalize the plan and begin preparation for agreed upon trainings and check-in/coaching process. A timeline below shows the number of estimated days of work that the engine room will be devoting to the project over the next 5 months (21 days). Given that this will be an iterative process, work will be invoiced as completed and should be considered an estimate. This work is budgeted at ____USD per day, for an estimated total of ____USD in the first 6 months.


  • Consultation with staff to identify opportunities, challenges, and staff dynamics in shifting technology practices
  • Detailed strategy for 6 to 12-month process of improving security based on priorities, vulnerabilities, and team dynamics developed in consultation with management and staff
  • Regular check-ins with staff and management to provide support in adopting new tools, measuring progress, and adapting the plan based on changing circumstances and stages of implementation
  • Trainings as needed and as determined in the security strategy


Activity                    Months 1 2 3 4 5 Total
Consultation Process 4 1 5
Strategic Plan 3 3
Trainings 3 3 1 7
Coaching and Check-ins 1 1 4 6
Days Subtotal 4 4 4 4 5 21


Discovery Process

The discovery process of the consultation will surface:

  • Security priorities (what needs to be done right away to close critical security loop holes, what security practices are worth the resources they require)
  • A cast of characters in the organization (who can do what technically, who on staff would be keen to learn more, who is good at helping colleagues learn)
  • Mapping of the organizational toolbox (what technologies does the organization use to do work, what personal technologies do staff use to do work)
  • Mapping of the information management and assets of the organization (who has what information where, how can it be accessed, how sensitive is it, who might want to get it)

Work Plan

The primary output of an in-depth consultation period will be a work plan for:

  • required trainings
  • prioritization and strategic sequencing of trainings and activities
  • benchmarks
  • check-in strategies for management

Security Training and Awareness Raising

As the security strategy unfolds there will be several tools and technical trainings required for staff to feel comfortable changing habits. Trainings will likely include (but would not be limited to):

  • Password practices and management
  • Managing viruses (and avoiding them)
  • Selecting software for the team
  • Destroying data (not just deleting it)
  • Managing staff and organizational back-ups
  • Communicating securely between staff members
  • Storing information securely (encrypting hard drives, and sensitive data)

Staff coaching

Managing follow-up after training and supporting the process of change over time will take place during and after training and awareness raising. This coaching will likely include:

  • Awareness raising meetings for thematic teams (finance, operations, management, projects)
  • All-staff meetings for answering questions, providing information about security issues, and developing an organizational vision for security
  • Coaching meetings for management so they know how to check in with staff regularly and provide support when needed
  • M&E strategy to track whether the plan is working