- Policy and Process Life Cycle Management
- Support Legal Compliance and Advocacy
- Common Business Documents to Support Security
- Security Requirements for Contracts
- General Privacy Principles for Sensitive Information
- Support the Development of Policies Containing Standard Security Practices
- Exam Preparation Tasks
- Review All Key Topics
- Define Key Terms
- Review Questions
This chapter is from the book
This chapter is from the book
This chapter is from the book
Security Requirements for Contracts
Contracts with third parties are a normal part of business. Because security has become such a concern for most organizations and government entities, contracts now include sections that explicitly detail the security requirements for the vendor. Organizations should consult with legal counsel to ensure that the contracts they execute include the appropriate security requirements to satisfy not only the organizations’ needs but also any government regulations and laws.
An organization may want to consider including provisions such as the following as part of any contracts:
Required policies, practices, and procedures related to handling organizational data
Training or certification requirements for any third-party personnel
Background investigation or security clearance requirements for any third-party personnel
Required security reviews of third-party devices
Physical security requirements for any third-party personnel
Laws and regulations that will affect the contract
Security professionals should research security requirements for contracts, including RFPs, RFQs, RFIs, and other agreements.
Request for Proposal (RFP)
An RFP is a bidding-process document issued by an organization that gives details of a commodity, a service, or an asset that the organization wants to purchase. Potential suppliers use the RFP as a guideline for submitting a formal proposal.
Suppose that two members of senior management can better understand what each vendor does and what solutions they can provide after three vendors submit their requested documentation. But now the managers want to see the intricacies of how these solutions can adequately match the requirements needed by the firm. The managers should submit an RFP to the three submitting firms to obtain this information.
Request for Quote (RFQ)
An RFQ (sometimes called an invitation for bid [IFB]) is a bidding-process document that invites suppliers to bid on specific products or services. RFQs often include item or service specifications. An RFQ is suitable for sourcing products that are standardized or produced in repetitive quantities, such as desktop computers, RAM modules, or other devices.
Suppose that a security administrator of a small private firm is researching and putting together a proposal to purchase an intrusion prevention system (IPS). A specific brand and model has been selected, but the security administrator needs to gather cost information for that product. The security administrator should prepare an RFQ to perform a cost analysis report. The RFQ would include information such as payment terms.
Request for Information (RFI)
An RFI is a bidding-process document that collects written information about the capabilities of various suppliers. An RFI may be used prior to an RFP or RFQ, if needed, but can also be used after these if the RFP or RFQ does not obtain enough specification information.
Suppose that a security administrator of a large private firm is researching and putting together a proposal to purchase an IPS. The specific IPS type has not been selected, and the security administrator needs to gather information from several vendors to determine a specific product. An RFI would assist in choosing a specific brand and model.
Now let’s look at an example where the RFI comes after the RFP or RFQ. Say that three members of senior management have been working together to solicit bids for a series of firewall products for a major installation in the firm’s new office. After reviewing RFQs received from three vendors, the three managers have not gained any real data regarding the specifications about any of the solutions and want that data before the procurement continues. To get back on track in this procurement process, the managers should contact the three submitting vendor firms and have them submit supporting RFIs to provide more detailed information about their product solutions.
Agreement or Contract
Organizations use other types of agreements with third parties besides those already discussed. Even though many of these agreements are not as formal as RFPs, RFQs, or RFIs, it is still important for an organization to address any security requirements in an agreement to ensure that the third party is aware of the requirements. This includes any types of contracts an organization uses to perform business, including purchase orders, sales agreements, manufacturing agreements, and so on.
