Project Description
We are looking for a candidate who can implement the below scope.
Request for Proposal (RFP)
Project Time: 1 Year
3 Months in Kuwait & Saudi
Data Privacy & Data Loss Prevention (DLP) Hybrid Team 3
1. Introduction 3
2. Objectives of the RFP 4
3. Scope of Work 5
3.1 Data Privacy Governance & Framework 5
3.2 Policy Implementation & Enforcement 5
3.3 Regulatory & Compliance Alignment 5
3.4 Data Loss Prevention (DLP) Operations 5
3.5 Risk Management & GRC Integration 6
3.6 Awareness & Enablement 6
4. Operating Model 9
4.1 Hybrid Team Model 9
4.2 Governance & Reporting 9
5. In-Scope and Out-of-Scope 10
5.1 In Scope 10
5.2 Out of Scope 10
6. KPIs and SLAs 11
7. RACI and Decision Authority 12
8. Data Classification and Coverage Requirements 13
9. Tooling and Integration Requirements 13
10. Data Breach and Incident Support 14
11. Knowledge Transfer and Exit Strategy 14
12. Localization and Regulatory Alignment 15
13. Deliverables 15
14. Vendor Requirements 16
14.1. Advanced Data Classification & Ownership 16
14.2. Privacy by Design & Data Minimization 16
15 . Proposal Submission Requirements 18
16 . Confidentiality 18
Data Privacy & Data Loss Prevention (DLP) Hybrid Team
1. Introduction
client Kuwait invites qualified vendors to submit proposals for establishing and operating a Data Privacy function that will work closely with the client Cybersecurity Team. The selected vendor will support the creation of the data privacy backbone across the organization, ensuring regulatory compliance, effective data protection, and operational integration with cybersecurity, GRC, and regulatory teams.
This engagement is expected to be delivered through a hybrid operating model (on-site and off-site resources).
3. Scope of Work
3.1 Data Privacy Governance & Framework
The vendor shall:
• Design and maintain the enterprise data privacy framework aligned with client policies and standards.
• Develop supporting procedures, guidelines, and operational playbooks.
• Implement privacy-by-design and privacy-by-default practices.
• Maintain data privacy artefacts, registers, and records of processing activities (RoPA).
3.2 Policy Implementation & Enforcement
• Apply and operationalize Data Privacy Policies approved by the Cybersecurity function.
• Support periodic reviews and updates of privacy policies, standards, and procedures.
• Ensure consistent enforcement across business units, applications, and data flows.
3.3 Regulatory & Compliance Alignment
• Work closely with the Regulatory and Legal teams to ensure alignment with:
CITRA By-Law framework
Local data protection laws
Applicable contractual and regulatory obligations
• Support regulatory audits, inspections, and compliance assessments.
• Assist in responding to regulatory inquiries and data subject requests (DSRs), where applicable.
3.4 Data Loss Prevention (DLP) Operations
The vendor shall manage and operate client’s DLP capabilities, including:
Structured Data
• Databases
• Data warehouses
• ERP and business applications
Unstructured Data
• Endpoints (laptops, desktops)
• Email systems
• File shares and collaboration platforms
• Cloud storage services
Activities include:
• DLP policy configuration and tuning
• Monitoring, alert triage, and incident handling
• Integration with SOC and Cybersecurity incident response
• Continuous improvement of DLP rules and use cases
3.5 Risk Management & GRC Integration
• Operate under the GRC Manager’s oversight.
• Identify, assess, and track data privacy risks in coordination with the GRC team.
• Support DPIAs, TIAs, and privacy risk assessments.
• Contribute to risk registers, action plans, and management reporting.
3.6 Awareness & Enablement
• Support data privacy awareness initiatives and targeted training programs.
• Provide guidance to business owners, IT, and application teams.
• Promote a culture of privacy and responsible data handling.
3.7 Red Teaming, Vulnerability Management & IAM Operational Activities
To strengthen the overall Data Privacy and DLP operating model, the vendor shall support cybersecurity aligned technical validation activities to ensure that personal data, sensitive data, and regulated datasets remain protected across all environments.
3.7.1 Red Team Assessments & Adversarial Simulation
The vendor shall conduct periodic and targeted red team activities focused specifically on data privacy related assets, including but not limited to:
• Simulated adversarial attacks targeting data repositories and privacy sensitive systems.
• Attempted lateral movement to reach high value personal data stores.
• Testing the effectiveness of existing privacy and DLP controls under real world attack scenarios.
• Validating detection efficiency through SOC/XDR integrations.
• Providing detailed post engagement reports with findings, risk rating, evidence, and recommended mitigation plans.
• Supporting purple team exercises with Cybersecurity & SOC teams.
3.7.2 Vulnerability Assessments Related to Data Privacy Assets
The vendor shall perform continuous vulnerability assessments focusing on systems and environments that process, store, or transmit regulated data:
• Periodic vulnerability scanning for databases, data warehouses, and high sensitivity applications.
• Configuration review of data stores and DLP integrated assets.
• Identification of privacy-impacting misconfigurations (e.g., exposed PII fields, weak encryption).
• Support remediation validation and re-testing.
• Integration of findings into GRC risk registers and privacy impact assessments.
3.7.3 Penetration Testing for Data-Critical Systems
The vendor shall support application and infrastructure penetration testing activities with specific focus on:
• Personal data repositories
• ERP and CRM applications
• Cloud storage systems hosting sensitive or regulated datasets
• Data pipelines, APIs, and data transfer workflows
• DLP bypass attempts and evasion techniques
Deliverables include:
• Executive and technical reports
• Exploitation evidence
• Root-cause analysis and security control improvement recommendations
3.7.4 IAM & Access Governance Operational Activities
To ensure proper governance of data access aligned with Privacy-by-Design and Data Minimization principles, the vendor shall support IAM/PAM related operations including:
• Periodic user access reviews (UAR) for systems processing personal data.
• Validation of least-privilege, need-to-know, and role-based access controls.
• Review of privileged access (PAM) to sensitive databases and applications.
• Monitoring for anomalous access patterns in coordination with SOC.
• Access recertification workflows with business and technical owners.
• Support in maintaining access attestation records required by CITRA By-Law compliance.
3.7.5 Database Security & Data Protection Validation
The vendor shall perform technical activities related to securing sensitive data at rest and in motion:
• Review of database encryption, masking, and tokenization controls.
• Assessment of backup and restore procedures for compliance with data privacy requirements.
• Verification of logging, monitoring, and retention policies for sensitive data.
• Testing for unauthorized data exfiltration paths.
4. Operating Model
4.1 Hybrid Team Model
The proposed team shall operate in a hybrid model, including:
• On-site resources for close collaboration with Cybersecurity, GRC, and business teams.
• Off-site resources for operational support, analysis, and continuous monitoring.
4.2 Governance & Reporting
• Functionally report to the GRC Manager.
• Maintain strong working alignment with:
Cybersecurity Team
Regulatory & Legal Team
IT and Digital Platforms
• Provide regular operational, risk, and compliance reports.
5. In-Scope and Out-of-Scope
5.1 In Scope
• Enterprise data privacy governance and operations
• Implementation and operation of data privacy controls
• Data Loss Prevention (DLP) configuration, monitoring, tuning, and optimization
• DPIAs, TIAs, and privacy risk assessments
• Regulatory compliance support aligned with CITRA By-Law
• Coordination with Cybersecurity, GRC, IT, and business teams
5.2 Out of Scope
• Provision of formal legal advice or legal opinions
• Final approval and ownership of cybersecurity or privacy policies
• Cyber incident response ownership (remains with SOC/Cybersecurity)
• Procurement activities and vendor contract negotiations
6. KPIs and SLAs
The vendor shall commit to measurable KPIs and SLAs, including but not limited to:
Domain KPI Target
DLP Operations Incident triage time ≤ 4 hours
DLP Operations False positive rate < 15%
Privacy Risk DPIA completion ≤ 10 business days
Compliance High-risk regulatory findings 0
Awareness Privacy training coverage ≥ 95%
Governance RoPA coverage for critical systems 1
7. RACI and Decision Authority
Activity Privacy Team Cybersecurity GRC Manager Legal/Regulatory
Privacy Policies R A C C
DLP Rules & Use Cases R A C I
DPIA & TIA R C A C
Regulatory Engagement R C A A
Privacy Risk Register C C A I
8. Data Classification and Coverage Requirements
The vendor shall ensure privacy and DLP controls cover:
• Personal Data, Sensitive Personal Data, and Special Categories of Data
• Customer, employee, contractor, and vendor data
• Structured and unstructured data sources
• On-premise, cloud, SaaS, and hybrid environments
• Cross-border data transfers
9. Tooling and Integration Requirements
The proposed solution must integrate with existing client platforms, including:
• SOC and XDR platforms (e.g., Palo Alto)
• SIEM and monitoring tools
• IAM and PAM solutions (e.g., Delinea)
• Ticketing and case management systems
• Data discovery and classification tools
13. Deliverables
Expected deliverables include, but are not limited to:
• Data Privacy Framework and Operating Model
• Privacy policies, procedures, and guidelines
• Records of Processing Activities (RoPA)
• DPIA and privacy risk assessment reports
• DLP operational reports and metrics
• Compliance and regulatory readiness reports
•