Before drafting and issuing an RFP
- Determine business process(es) impacted by the new product/ system/ application/ process
- Determine type and sensitivity of data impacted
- Determine the availability requirement for the new product/ system/ application and related processes.
- Assess risk of the product /system/ application/ process (If applicable)
- If data impacted is sensitive or specifically protected by state and federal laws (If not, a general security requirements boilerplate provided by the institution Office of General Counsel should be adequate)
- Determine the information security requirements needed to safeguard the data (regardless of hosting location)
- If the system/ application/process is developed, outsourced and/or hosted at a third-party's location
- Determine requirements needed to limit access and safeguard data transmission, storage, and retention
- Determine if an RFP is required or desired for the procurement
During draft and review of RFP
- Incorporate requirements identified in Item 1.e and 1.f in the RFP and in the copy of the institution's Agreement included in the RFP.
After issuing the RFP and/or Vendor Evaluation
- Identify the office, team or individual(s) responsible for reviewing and assessing vendor answers to the information security questions included in the RFP response.
- Review vendor answers provided in RFP response. Explanations should be specific and describe procedures and/or products used to meet the requirements
- Identify questions and/or requirements that need further clarification or answers that do not meet requirements.
- Follow up with vendor through email or conference call - as long as it is documented - regarding items identified
- If applicable, request a product trial to test product functionality and security features
- If the system/ process/ application is outsourced or hosted at a third-party location
- Assess the risk of using the finalist third-party vendor. This may be done by requiring finalist vendors to complete a third-party information security assessment survey, or by other risk assessment processes such as a site inspection.
- Call vendor references and discuss the completed vendor survey to assess if there is evidence of non-performance at other clients sites
- Identify areas needing mitigation and required cure and include them as language in final agreement and/or statement of work.
Questions or comments? Contact us.
Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).