This cheat sheet offers tips for planning, issuing and reviewing Request for Proposal (RFP) documents for information security assessments. To print, use the one-sheet PDF version; you can also edit the Word version for you own needs.
This write-up aims at helping your organization receive security RFP responses best suited for your requirements. I respond to a fair number of security assessment RFPs; this cheat sheet shares my perspective on the RFP process.
Consider whether you'll benefit from issuing the RFP or whether a less formal process is better for you.
If you're not familiar with the services you need, consider issuing an RFI, rather than an RFP.
Understand what's driving your need for the security assessment, so you can be specific in the RFP.
Identify the individuals who should participate in the development of the RFP and in the review of responses.
Consider whether your environment is ready to be assessed, or whether it's best to wait.
Understand and confirm your staff's availability during the assessment to support the project.
Identify and avoid conflicts with other projects during the assessment (e.g., rollout of a new application).
In the RFP, describe the benefits of working with your organization to entice more vendors to respond.
Consider various teams' perspectives (legal, IT, audit, etc.) to ensure support for the RFP and the assessment.
Decide on a realistic timeline for the RFP process, allocating sufficient time for a responses and review.
Confirm a realistic budget for the assessment, accounting for your requirements and market prices.
Clarify how the RFP responses should be submitted (email, fax, paper mail, etc.) and who will receive them.
Request itemized pricing from the RFP responders, to simplify the comparison of proposed services and costs.
Define the process for receiving timely answers to the questions you may have after reviewing RFP responses.
What business and IT objectives, including compliance requirements, should the assessment support?
What milestones and timeline (dates for starting, ending, performing testing, etc.) do you require?
What reports and other deliverables do you expect to receive? (For reports, outline desired table of contents.)
What type of a security assessment do you need (vulnerability assessment, penetration testing, etc.)?
What is a "must have" and what is a "nice to have" for the desired assessment?
Describe the size of the environment in scope for the assessment (number of systems, applications, etc.)
Consider requiring an NDA if an RFP responder asks for sensitive details for preparing a response.
Decide whether you'll benefit from a large pool of RFP responders or whether you prefer hand-picking the vendors whom you'll invite to respond.
Consider finding potential RFP responders by researching speakers and authors who've demonstrated security assessment expertise.
If you maintain a list of firms interested in your RFPs, contact them; if you don't, consider creating such a list.
Request a commitment to respond by a specific date, so you know whether to expect a sufficient number of RFP responses; if necessary, invite additional responders.
Consider sharing the RFP with the vendors with whom you already have a good working relationship.
Define a process for handling the RFP responders' questions fairly and comprehensively.
Assess the expertise of the individuals the vendor will assign to your security assessment.
Confirm the availability of the vendor's staff in accordance to your timeline and location requirements.
Consider inquiring about the background checks the vendor performed on the staff assigned to the project.
Examine the vendor's project management capabilities.
Define, for yourself, vendor selection criteria and assign weighs to each factor based on its importance to you.
Consider what information about the vendor's companies you require (e.g., revenue, locations, etc.).
Ask clarifying questions from RFP responses before making your selection.
Inquire about the vendors' references for the type of project you're looking to conduct.
Review the vendor's sample assessment reports.
Request for Proposal (RFP): A structured document used to solicit proposals for services or products
Request for Information (RFI): A document, often less formal than an RFP, used to assess available offerings
Non-Disclosure Agreement (NDA): A contract requiring the parties to protect sensitive data they exchange
Security assessment: A structured test of IT infrastructure, usually used to assess security posture
Special thanks for feedback to Hana Park and Jefferey Saiger. If you have suggestions for improving this cheat sheet, please let me know.
This cheat sheet is distributed according to the Creative Commons v3 "Attribution" License. File version 1.4.
Take a look at my other security cheat sheets.
Authored by Lenny Zeltser. Lenny is a seasoned business and tech leader with extensive experience in information technology and security. His areas of expertise include incident response, cloud services and product management. Lenny focuses on safeguarding customers' IT operations at NCR Corporation. He also teaches digital forensics and anti-malware courses at SANS Institute. Lenny frequently speaks at conferences, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania. You can follow Lenny on Twitter, read his blog and circle him on Google+.
Copyright © 1995-2013 Lenny Zeltser. All rights reserved. RSS Feed.
The information on this site does not necessarily represent positions or opinions of my employer.