INFORMATION SECURITY ASSESSMENT What milestones and timeline (dates for starting, Define vendor selection criteria and
ng, Define vendor selection criteria and assign weighs to
RFP CHEAT SHEET ending, performing testing, etc.) do you require? each factor based on its importance to you.
What reports and other deliverables do you expect to Consider what information about the vendor’s
Tips for issuing and reviewing Request for Proposal
receive? (For reports, outline desired table of contents.) companies you require (e.g., revenue, locations, etc.).
(RFP) documents for information security assessments.
What type of a security assessment do you need Ask clarifying questions from RFP responses before
Planning the Security Assessment RFP (vulnerability assessment, penetration testing, etc.)? making your selection.
Consider whether you’ll benefit from issuing the RFP or What is a “must have” and what is a “nice to have” for Inquire about the vendors’ references for the type of
whether a less formal process is better for you. the desired assessment? project you’re looking to conduct.
If you’re not familiar with the services you need, Describe the size of the environment in scope for the Review the vendor’s sample assessment reports.
consider issuing an RFI, rather than an RFP. assessment (number of systems, applications, etc.). Typical Elements of an RFP Document
Understand what’s driving your need for the security
Consider requiring an NDA if an RFP responder asks for • About Your Organization: Outline the nature of
assessment, so you can be specific in the RFP.
sensitive details for preparing a response. your business, workforce size, location details, etc.
Identify the individuals who should participate in the
Distributing the RFP • RFP Process: Clarify selection criteria, RFP timeline,
development of the RFP and in the review of responses.
Decide whether you’ll benefit from a large pool of RFP submission guidelines, vendor qualifications, etc.
Consider whether your environment is ready to be responders or whether you prefer hand-picking the
assessed, or whether it’s best to wait. • Assessment Requirements: Discuss assessment
vendors whom you’ll invite to respond.
objectives, scope, your infrastructure details, etc.
Understand and confirm your staff’s availability during Consider finding potential RFP responders by
the assessment to support the project. • Assessment Deliverables: Explain the expected
researching speakers and authors who’ve
deliverables, including reports and discussions.
Identify and avoid conflicts with other projects during demonstrated security assessment expertise.
the assessment (e.g., rollout of a new application). • Terms and Conditions: Include the text provided by
If you maintain a list of firms interested in your RFPs,
your organization’s legal and procurement teams.
In the RFP, describe the benefits of working with your contact them; if you don’t, consider creating such a list.
organization to entice more vendors to respond. To meet promising RFP responder, participate in Definitions
Supporting the RFP Process security events (SANS, Infragard, ISSA, OWASP, etc.). Request for Proposal (RFP): A structured document
used to solicit proposals for services or products
Consider various teams’ perspectives (legal, IT, audit, Request a commitment to respond by a specific date, so
etc.) to ensure support for the RFP and the assessment. you know whether to expect a sufficient number of RFP Request for Information (RFI): A document, often less
responses; if necessary, invite additional responders. formal than an RFP, used to assess available offerings
Decide on a realistic timeline for the RFP process,
allocating sufficient time for a responses and review. Consider sharing the RFP with the vendors with whom Non-Disclosure Agreement (NDA): A contract requiring
you already have a good working relationship. the parties to protect sensitive data they exchange
Confirm a realistic budget for the assessment,
accounting for your requirements and market prices. Define a process for handling the RFP responders’ Security assessment: A structured test of IT
questions fairly and comprehensively. infrastructure, usually used to assess security posture
Clarify how the RFP responses should be submitted
(email, fax, paper mail, etc.) and who will receive them. Selecting the Security Assessment Vendor Additional RFP References
Request itemized pricing from the RFP responders, to Assess the expertise of the individuals the vendor will Beyond the Template: Writing an RFP That Works
simplify the comparison of proposed services and costs. assign to your security assessment. [Link]
Define the process for receiving timely answers to the Confirm the availability of the vendor’s staff in Sample RFP for Security Risk Assessment … Project
questions you may have after reviewing RFP responses. accordance to your timeline and location requirements. [Link]
Defining the Assessment’s Details Consider inquiring about the background checks the Truths and Tips on the Flawed RFP Process
vendor performed on the staff assigned to the project. [Link]
What business and IT objectives, including compliance
requirements, should the assessment support? Examine the vendor’s project management capabilities.
Authored by Lenny Zeltser, a seasoned business and technology leader with extensive information security experience. Special thanks for feedback to Hana Park and Jefferey Saiger. This cheat sheet is
distributed according to the Creative Commons v3 “Attribution” License. File version 1.5. If you liked this reference, take a look at Lenny’s other cheat sheets for IT and information security professionals.
