Educause Security Discussion mailing list archives

Re: Penetration Testing RFP Ideas

From: Brad Judy <brad.judy () CU EDU>
Date: Tue, 21 Feb 2017 19:58:52 +0000

The approach we just took here was to RFP to create a list of vendors that could then be contracted quickly for
individual engagements. It was a bit different than most RFP processes since there was not a scope of work in the RFP,
just an evaluation of each vendor’s documentation, processes, pricing, etc. against a variety of factors (industry best
practices, company experience, etc.).

Our process here is designed to prevent being forced to choose a low-ball vendor as we decide ahead of time how much
weight to place on cost and it’s typically in the 25% range. Spend some time with your procurement team to understand
your options to ensure the best possible vendor.

Brad Judy

Information Security Officer
Office of Information Security
University of Colorado
1800 Grant Street, Suite 300
Denver, CO 80203
Office: (303) 860-4293
Fax: (303) 860-4302
www.cu.edu <http://www.cu.edu/>

On 2/21/17, 11:25 AM, "The EDUCAUSE Security Constituent Group Listserv on behalf of Justin Harwood" <SECURITY ()
LISTSERV EDUCAUSE EDU on behalf of Justin.Harwood () CPCC EDU> wrote:

I was wanting to ask this community if there is anyone else in here that has written an RFP lately for
internal/external penetration testing services? I’m looking for ideas on how I’m crafting out the document that lists
out all the technical requirements and things I want to be considered in order to help decide the best vendor to
choose? What I’m looking for is ideas to ensure that I have enough information so that I don’t get a low-ball bid
response and have to go with them if they aren’t a vendor we think meets our expectations/qualifications.

Thanks,

Justin

________________________________

This e-mail, including any attachments, is intended only for the addressee's use and may contain confidential and
proprietary information. If you are not the intended recipient, you are hereby notified that any retention,
dissemination, reproduction, or use of the information contained in this e-mail is strictly prohibited. If you have
received this e-mail by error, please delete it and immediately notify the sender. Thank you for your cooperation.

Current thread:

Penetration Testing RFP Ideas Justin Harwood (Feb 21)
- Re: Penetration Testing RFP Ideas Penn, Blake C (Feb 21)
- Re: Penetration Testing RFP Ideas Ruth Ginzberg (Feb 21)
  - Re: Penetration Testing RFP Ideas Velislav K Pavlov (Feb 23)
- <Possible follow-ups>
- Re: Penetration Testing RFP Ideas Brad Judy (Feb 21)