Last Updated: 2009-01-24 02:22:15 UTC
by Lenny Zeltser (Version: 1)
Creating RFPs for security solutions and processing the responses is not an easy task. Having responded to a fair number of such RFPs, I found that many of them are created hastily, and don’t allow the issuer to benefit from quality responses.
Here's my list of the top 10 mistakes organizations make when crafting a security RFP:
- Create the RFP in a silo, without considering input from stakeholders throught the organization.
- Provide very little information about the infrastructure in scope for the security solution.
- Use the RFP process in situations where it slows you down, without offering substantial benefits.
- Avoid defining a criteria for objectively evaluating RFP responses.
- Select the solution or vendor in advance, using the RFP to mark a checkbox.
- Underestimate the time your staff needs to devote to processing RFP responses.
- Don't define a process for allowing RFP responders to ask clarifying questions.
- Don't ask detailed clarifying questions after receiving RFP responses.
- Forget to define your business requirements, hoping that RFP responders will do that for you.
- Issue the RFP before your organization is ready to make use of the requested solution.
If you found this list useful, you may also like the brief "cheat sheet" I created for issuing RFPs specific to information security assessments.
Lenny Zeltser - Security Consulting
Lenny teaches a SANS course on analyzing malware.