Presentation on theme: "IS4799 Information Systems and Cybersecurity Capstone Project"— Presentation transcript:
1 IS4799 Information Systems and Cybersecurity Capstone Project Unit 1Release of an RFP for Security Assessment Services
2 Learning Objective and Key Concepts Identify the objectives and detailed requirements of an information technology (IT) security services Request for Proposal (RFP)Key ConceptsFormat of an RFP documentResponding to an RFPSkills and capability assessmentRFP response project plan
4 RFP Formal solicitation for proposals Useful to compare vendors “Send us quotes for products or services.”Useful to compare vendorsRFP standards level the playing field.Demonstrates equityHelps to avoid favoritismAllows multiple companies to compete for businessHelps ensure competencyAll vendors must meet standards.When an organization needs to acquire products or services, they need to make their requirements known. The RFP is a common mechanism to solicit proposals from multiple vendors. The RFP is a way for an organization to send the word out to many providers that they need to purchase products or services. Instead of simply contacting a few known suppliers, the RFP makes it possible for organizations to publish requirements for many provider organizations to access.RFPs specify the products and services required and define specific guidelines for submitting proposals. Adherence to the RFP’s requirements makes it possible to evaluate and compare proposals from different providers. The RFP process can help remove some of the advantages of organizations with mature marketing efforts by focusing on specific performance requirements. The RFP can give all organizations an equal opportunity to win the business.Many organizations require formal proposal processes to help standardize the procurement process. Oversight requirements may require any substantial procurement to consider multiple RFP responses to ensure equity among prospective vendors and discourages favoritism. Considering multiple RFP responses also encourages competition and helps ensure the client selects the best overall provider.Since well-written RFPs include minimum standards for respondents, they exclude vendors that do not meet the standards. In short, RFPs help weed out vendors that cannot demonstrate required competencies.
5 RFP Key Concepts Applicability Competency Response process Do the required products or services apply to your organization?Is there a “good fit”?CompetencyCan your organization provide requested products or services?Is there any history of similar engagements?Response processDo you understand the response process?Can your organization respond in a manner consistent with the RFP?RFPs focus on several key concepts and issues that affect the procurement process. The RFP attempts to address each of these procurement concerns and provide a solution that represents the best combination of products and services that meet the requesting organization’s needs.Applicability – Are the products or services contained in a proposal appropriate and applicable for your organization? Can your organization fill these needs sufficiently and in a manner that is consistent with your business focus?Competency – Does your organization posses the abilities to provide the requested products and services with a high level of competency? Can you meet budget, schedule, and quality requirements? Experience is the best indicator of future performance. Has your organization done this type of work before?Response process – Is your organization new to responding to RFPs? Do you understand how to produce a response to an RFP? Is your organization able to make the commitment to perform the necessary actions to develop a solid RFP response?
6 RFP Key Concepts (Continued) Commitment to processAuthorityResourcesProcess managementProject managementResponse activitiesFulfillment activitiesDocumentationDocumentation standardsAccess policiesCommitment to process – Understanding the RFP process is only part of the process. It is important that all prospective RFP respondents commit to the process of evaluating the RFP and preparing a suitable response. Creating an RFP response is not a trivial task. Many organizations start the process but do not finish because of the effort required. To avoid wasting effort, make sure your organization is committed to completing the RFP response process.Process management – RFP responses often require many separate activities. It is important for responding organizations to manage the process of preparing the response in order to ensure effort is expended in an efficient manner. Managing the response process as a project generally provides the most effective use of resources. Your organization should explicitly employ project management during the RFP response process and for conducting the proposed activities if your organization is awarded the contract.Documentation – As with managing any project effectively, it is important to document all activities. Good documentation will allow you to better communicate your intentions in the RFP response as well as evaluate the positive and negative aspects of the response process once you have completed the activities. Evaluating past activities often reveals lessons that can make future activities more effective.
7 RFP Sections Introduction Schedule of events Proposal requirements Vendor requirementsAward criteria and processAppendicesIntroduction – RFP purpose, scope, and necessary background information. The introduction sets the stage for the RFP and summarizes its main points.Schedule of events – A list of important milestones and deadlines that pertain to the RFP response and award process.Proposal requirements – Definition of the products and services the RFP requires.Vendor requirements – Standards each vendor must meet to be considered as an authorized RFP respondent. This section may also list desired vendor characteristics that may not be mandatory.Award criteria and process – Details about how the client will evaluate RFP responses and award the business to one or more vendors.Appendices – Any additional information necessary to fully document the RFP intent, requirements, and process.
8 RFP Introduction Statement of purpose Scope Compliance stipulations CommunicationsInitial processEach RFP introduction is different and will contain information that is specific to that RFP. Many RFPs contain general information that is common, including the following:Statement of purpose – The statement of purpose summarizes the intent and purpose of the RFP and briefly conveys its reasons for its existence. While it doesn’t contain many performance requirements, this section provides a very general overview of the RFP. The statement of purpose is deliberately high-level and provides few details.Scope - Readers should gain a general sense of the performance requirements of the RFP from this section. The scope defines the specific products, services, period, terms, and conditions of the RFP. In many RFPs, the scope section simply refers readers to appropriate appendices for more detailed coverage.Compliance stipulations – The introduction often contains any general compliance stipulations that apply to the RFP process, including vendor selection and performance of the proposal contents. While government-related RFPs almost always contain statements of compliance with equal opportunity and disability regulations, any other mandatory compliance requirements will be included here.Communications – This section defines the primary point of contact with the client and the preferred communication mechanism.Initial process – The introduction normally contains brief instructions that inform prospective respondents how to get started in the RFP response process and lists any upcoming meetings or events.
9 RFP Schedule Specifies important RFP milestones Provides initial target dates for response projectSets the pace of the response effortHelps organize activitiesThe schedule section is generally a list of important RFP process milestones. This section defines the basic plan for the process from the perspective of the client. It is important for respondents to carefully evaluate the requirements necessary to meet each of the dates in the schedule. The schedule contains information that helps respondents:Understand important RFP milestones and deliverable due dates.Develop initial project schedules for the response effort.Determine the pace and work effort required to produce an RFP response.Organize and prioritize response efforts.
10 RFP Requirements Requirements to successfully fulfill the RFP Specifies required vendor actionSets the expectation for deliverablesProvides evaluation criteriaThe RFP requirements section, sometimes called the Proposal requirements section, define the contents and form of an acceptable RFP response. The RFP response, or proposal, must contain the elements defined in this section and propose solutions as specified in the requirements section.This section includes:The requirements that must be addressed in an acceptable proposalRequired vendor actions that result in providing one or more products or servicesExpectations of deliverable cost, quality, and availability scheduleThe criteria used to determine suitability of all requirements
11 Vendor Requirements Specifies prerequisites for vendors Defines minimum requirements to “play”Can indicate actions prior to submittalCoalitions can form to satisfy requirementsThe vendor requirements section defines any requirements that respondents must meet to be eligible to participate in the RFP process. This section can include many different types of requirements, including business organization, size, classification, and prior experience.This section includes:Explicit vendor requirements, such as the organization type, classification or certifications, status as a registered vendor common with government RFPsMinimum requirements for be considered a valid vendor, such as size, sales volume, or location coverageActions that vendors must complete prior to submitting a proposal, such as attaining certification or other statusAlthough the RFP contains requirements for vendors, if your organization lacks any of the requirements, you may be able to form a partnership with one or more organizations that do possess the missing requirements. Check the RFP details to ensure partnership proposals are allowed.
13 Response Process Evaluate the RFP. Participate in interim meetings. Plan response activities.Satisfy vendor requirements.Propose solution to RFP requirements.Deliver proposal.Although the schedule of events section contains the initial schedule, this schedule is from the client’s perspective. It is important that you organize the RFP response process as a project. Take the time and expend the effort to organize and plan it, just as you would any other project. The general process of the response process include:Evaluate the RFP – Carefully read the RFP and note any elements that require actionParticipate in interim meetings – Schedule resources to participate in all mandatory RFP meetings and attempt to attend as many non-mandatory meetings as possible.Plan response activities – Use the input from the RFP and any subsequent communications and meetings to develop a project plan of activities that result in a proposal.Satisfy vendor requirements – Ensure your organization or business partners satisfy all vendor requirements in the RFP. Pursue solutions to any gaps in vendor requirements.Propose solution to RFP requirements – Develop a proposal that satisfies each element of the RFP.Deliver proposal – Formally deliver and present the primary deliverable, the proposal.
14 Award Process Client to receive proposals Possible clarification requestsEvaluationPossible additional roundsFinal award and announcementThe award process differs with each RFP, but the general flow of events is fairly consistent. The process of awarding one or more contracts that result from an RFP includes:Proposal submission and receipt – The client receives all proposals by a specified date and considers proposals that meet the submission requirements.Proposal clarification requests – In some cases, the client may query one or more respondents, requesting additional or clarification of information contained in the submitted proposal.Evaluation – Once the client has received all of the necessary information, the evaluation process begins. The client evaluates each vendor’s proposal and determines the best offering or a small group of the best vendor offerings.Possible additional rounds – Some RFPs are organized in multiple rounds. The initial round identifies the most likely contenders while subsequent rounds further identify the best candidate or candidates.Final award and announcement – The last step in the RFP process is to award the contract or contracts to the selected vendors and announce the decision according to the defined communication mechanism.
16 Key Roles Client Representative Project Manager IT Manager Responding to an RFP requires cooperation among several roles. Each role is vital to the process. The most important roles include:Client representative – Main point of contact with the client for vendor communication. The client representative coordinates all forms of communications and forwards queries and answers to the appropriate destination.Project manager – Responsible to leading the effort to plan, execute, and manage the actions required develop the final proposal.IT manager – Responsible for working with the project manager to determine and provide necessary resources for the proposal development project and the product and services fulfillment activities if awarded the contract.
17 Key Roles (Continued) HR Manager General Management Additional key roles to the RFP process:HR manager – Responsible for working with the project manager to determine and provide necessary personnel for the proposal development project and the product and services fulfillment activities if awarded the contract.General management – Responsible for providing the authority and funding for the proposal development project and for all activities related to providing products or services if awarded the contract.
19 Your Firm Security services provider In business since 1995 Started as database specialistExpanded to offer full security servicesDetails about your firmYour firm is a security services provider. Your clients include organizations of various sizes, but most clients are state and federal government agencies that must demonstrate compliance with specific security related regulations. Your firm was formed in 1995 as a small corporation with only four employees. At that time, the firm’s focus was to provide database performance tuning and security services for database applications. By 2000, your firm routinely provided complete security services, including assessments, penetration tests, policy creation, and regulatory compliance assistance.Today, your firm seeks opportunities to solve security related issues and make government agencies and mid-sized organizations operate in a more secure manner.
20 Requirements Evaluate RFP to determine: Vendor requirements Performance requirementsThe first step in responding to an RFP is to evaluate the RFP requirements to determine what must be done. In short, the initial phase of RFP evaluation should produce a list of:Specific vendor requirements – Determine whether your organization is qualified (or can become qualified) to submit a proposal. If your firm (or partners with whom you can work) cannot meet the minimum vendor requirements there is no need to proceed.Performance requirements – Determine what you must do to effectively meet the RFP’s requirements. This list of requirements will provide the initial task list that should eventually provide the activities for your project schedule.
21 Requirements Gaps Any difference between: What your firm can perform What the RFP requiresGaps can be:Vendor requirements gapsPerformance capability gapsMultiple ways to address gaps:OutsourceInnovateUpgradeCooperateOnce you have completed the list of vendor and performance requirements, the next step is to evaluate your firm’s ability to meet, or exceed, the requirements. A gap is any difference between what your firm performs and what the RFP requires. Positive gaps are fine. A positive gap is any situation in which your firm exceeds the requirement. The problem is with negative gaps. A negative gap is any situation in which your firm cannot currently meet one or more requirements.Gaps can exist in both vendor requirements and performance requirements. Either type of requirement gap may make your firm ineligible to submit a proposal. This is where really understanding the RFP is crucial. Some gaps are show-stoppers. Other gaps relate to optional requirements and do not automatically invalidate your firm as a proposal process participant. Identify all requirement gaps and then determine their importance to the RFP response process.Once you identify gaps and decide to address them, there are several options to close gaps. These options include:Outsource – Use an external resource to provide a capability that your firm cannot satisfy.Innovate – Expand your firm’s offerings to include new products or services that satisfy RFP requirements.Upgrade – Update or upgrade your firm’s capabilities to offer expanded options to existing services or products to satisfy RFP requirements.Cooperate – Partner with one or more firms that can participate by offering products or services that satisfy RFP requirements. Cooperation differs from outsourcing in that all participants in a cooperative model share the risks and rewards.21
22 Additional Information Needed Missing RFP detailsClarification informationAlternate/substitute deliverablesAny unclear or unknown issuesPart of the initial RFP evaluation is also to identify any questions or missing information. It is important to ensure your firm has complete information to ensure your RFP response is based on an accurate understanding of the RFP’s contents. Additional information may be necessary due to several reasons, including:Missing RFP details – The client may have omitted some details from the RFP that are necessary for preparing a proposal.Clarification information – Your firm may need clarification of one or more items to ensure you are using correct assumptions.Alternate/substitute deliverables – In some cases there may be viable products and services that are equivalent, or even superior, to the products and services defined in the RFP. When made aware of the alternatives, the client may accept replacements in a proposal.Any unclear or unknown issue – Any confusion of unclear issue needs to be specified. Your firm’s responsibility is to clarify as many questions as possible. The most effective proposals are the ones that have the least ambiguity.22
24 Next Step Question list Produce a list of questions Include items to address any missing informationBidder’s conferenceMeeting of client and potential vendorsOpportunity to ask questionsThe initial step, after evaluating the RFP, is to contact the vendor with intent and questions. Prepare a list of questions that include all missing information, clarifications, and other items where ambiguity exists. Be specific and complete.The initial meeting in many RFP processes is the Bidder’s Conference. This is the meeting in which potential vendors can meet the client, submit their list of questions, and learn more about the client and the RFP process. You’ll learn more about the Bidder’s Conference in the next unit.24
25 SummaryAn RFP is a common mechanism to solicit proposals from multiple vendors.Responding to an RFP requires cooperation among several roles, including client representative, project manager, IT manager, HR manager, and general management.Responding to an RFP includes identifying vendor and performance requirements.A requirements gap is any difference between what your firm performs and what the RFP requires.After evaluation, you need to prepare a list of questions that include all missing information and clarifications.