SANS ISC: Top 10 Mistakes When Crafting a Security RFP

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Creating RFPs for security solutions and processing the responses is not an easy task. Having responded to a fair number of such RFPs, I found that many of them are created hastily, and don’t allow the issuer to benefit from quality responses.

Here's my list of the top 10 mistakes organizations make when crafting a security RFP:

1. Create the RFP in a silo, without considering input from stakeholders throught the organization.
2. Provide very little information about the infrastructure in scope for the security solution.
3. Use the RFP process in situations where it slows you down, without offering substantial benefits.
4. Avoid defining a criteria for objectively evaluating RFP responses.
5. Select the solution or vendor in advance, using the RFP to mark a checkbox.
6. Underestimate the time your staff needs to devote to processing RFP responses.
7. Don't define a process for allowing RFP responders to ask clarifying questions.
8. Don't ask detailed clarifying questions after receiving RFP responses.
9. Forget to define your business requirements, hoping that RFP responders will do that for you.
10. Issue the RFP before your organization is ready to make use of the requested solution.

If you found this list useful, you may also like the brief "cheat sheet" I created for issuing RFPs specific to information security assessments.

-- Lenny

Lenny Zeltser - Security Consulting

Lenny teaches a SANS course on analyzing malware.