Educause Security Discussion mailing list archives
Re: Penetration Testing RFP Ideas
From: Brad Judy <brad.judy () CU EDU>
Date: Tue, 21 Feb 2017 19:58:52 +0000
The approach we just took here was to RFP to create a list of vendors that could then be contracted quickly for individual engagements. It was a bit different than most RFP processes since there was not a scope of work in the RFP, just an evaluation of each vendor’s documentation, processes, pricing, etc. against a variety of factors (industry best practices, company experience, etc.). Our process here is designed to prevent being forced to choose a low-ball vendor as we decide ahead of time how much weight to place on cost and it’s typically in the 25% range. Spend some time with your procurement team to understand your options to ensure the best possible vendor. Brad Judy Information Security Officer Office of Information Security University of Colorado 1800 Grant Street, Suite 300 Denver, CO 80203 Office: (303) 860-4293 Fax: (303) 860-4302 www.cu.edu <http://www.cu.edu/> On 2/21/17, 11:25 AM, "The EDUCAUSE Security Constituent Group Listserv on behalf of Justin Harwood" <SECURITY () LISTSERV EDUCAUSE EDU on behalf of Justin.Harwood () CPCC EDU> wrote: I was wanting to ask this community if there is anyone else in here that has written an RFP lately for internal/external penetration testing services? I’m looking for ideas on how I’m crafting out the document that lists out all the technical requirements and things I want to be considered in order to help decide the best vendor to choose? What I’m looking for is ideas to ensure that I have enough information so that I don’t get a low-ball bid response and have to go with them if they aren’t a vendor we think meets our expectations/qualifications. Thanks, Justin ________________________________ This e-mail, including any attachments, is intended only for the addressee's use and may contain confidential and proprietary information. If you are not the intended recipient, you are hereby notified that any retention, dissemination, reproduction, or use of the information contained in this e-mail is strictly prohibited. If you have received this e-mail by error, please delete it and immediately notify the sender. Thank you for your cooperation.
Current thread:
- Penetration Testing RFP Ideas Justin Harwood (Feb 21)
- Re: Penetration Testing RFP Ideas Penn, Blake C (Feb 21)
- Re: Penetration Testing RFP Ideas Ruth Ginzberg (Feb 21)
- Re: Penetration Testing RFP Ideas Velislav K Pavlov (Feb 23)
- <Possible follow-ups>
- Re: Penetration Testing RFP Ideas Brad Judy (Feb 21)