Threat Level: green Handler on Duty: Yee Ching Tok

SANS ISC: Top 10 Mistakes When Crafting a Security RFP SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Top 10 Mistakes When Crafting a Security RFP

Creating RFPs for security solutions and processing the responses is not an easy task. Having responded to a fair number of such RFPs, I found that many of them are created hastily, and don’t allow the issuer to benefit from quality responses.

Here's my list of the top 10 mistakes organizations make when crafting a security RFP:

  1. Create the RFP in a silo, without considering input from stakeholders throught the organization.
  2. Provide very little information about the infrastructure in scope for the security solution.
  3. Use the RFP process in situations where it slows you down, without offering substantial benefits.
  4. Avoid defining a criteria for objectively evaluating RFP responses.
  5. Select the solution or vendor in advance, using the RFP to mark a checkbox.
  6. Underestimate the time your staff needs to devote to processing RFP responses.
  7. Don't define a process for allowing RFP responders to ask clarifying questions.
  8. Don't ask detailed clarifying questions after receiving RFP responses.
  9. Forget to define your business requirements, hoping that RFP responders will do that for you.
  10. Issue the RFP before your organization is ready to make use of the requested solution.

If you found this list useful, you may also like the brief "cheat sheet" I created for issuing RFPs specific to information security assessments.

-- Lenny

Lenny Zeltser - Security Consulting

Lenny teaches a SANS course on analyzing malware.


216 Posts
Jan 9th 2009

Sign Up for Free or Log In to start participating in the conversation!