Procurement Management Purchasing Hardware Software Vendor Services Consulting Services Outsourcing development Training Services Maintenance Documents Contract Specification Statement Of Work
Procurement management processes Processes Planning Conducting procurement Administering Closing Procurement can be organized as a sub- project
Procurement management processes Planning Initial market research Decide about what to buy Preliminary cost estimation Make short list of vendors (2 to 5 names)
Procurement management processes Conducting procurement Request For Proposals (RFP) sent out to vendors RFP must reflect critical requirements, both functional and non-functional. It must enable vendor evaluation, otherwise it will be useless Respectively, evaluation criteria must be defined (do not send them to vendors) Collect responses Responses review and evaluation Communicate to vendors Select a vendor
Generic RFP structure RFP set of criteria should reflect: Management approach – 30% Technical approach – 30% Past performance – 20% Price – 20% Weights are assigned in order to facilitate responses evaluation Management approach and past performance groups of criteria most probably exist, when technical approach must be developed for each project specifically
Technical part of RFP The following must be addressed Functional capabilities - Yellow Platform solution - Red Open architecture - Orange Security - Green Performance - Blue Scalability - Purple Usability (ease of use) - Brown T
Technical Part of RFP – Functional capabilities Two-factor authentication Team Yellow Snake
Questions to ask our Vendors What authentication factors/forms does your product support? What directory services does your product integrate with? Where is your product currently deployed? Does your product support federated user authentication? What federated user authentication protocols does your product support?
Functional Capabilities Do you offer 24/7 technical support? What Data and transport encryption protocols does the product support? Comments The questions are good and relevant, except of one re the product deployment. This one is better to locate at the section that requests about the company experience
Questions Current Solutions for: Linux Server Windows Workstation Licenses Type of licenses Number of computers per license Effectiveness - % of malware protection Maintenance – updates and patches Support Interaction with other software? Comments: First group is fine but Others are not relevant to The topic. Better choice Would be to ask about Plans for the future
THE GREEN TEAM IPS Adam, Liane, Paul, Matt It’s not easy being green Security Questions to the vendor
Questions 1. Does your product allow for remote access/administration? 2. What are your terms when it comes to ownership of data (cloud)? 3. Do third parties conduct security assessments on your products? Questions are good re Security. Not all are Relevant to IPS
Questions Cont’d 4. Does your product store data unencrypted? 5. Do you review security at each phase during the software development cycle? 6. What methodologies do you use for testing your products’ security?
Questions Cont’d 10. What are your disaster recovery plans? 11. What are your risk mitigation strategies? 12. How are the end users alerted to new updates?
Questions Cont’d 13. What kind of authentication controls are built into the product? 14. How is your application team educated in current application security risks? 15. What is your process for notifying customers of security problems and the solutions?
TEAM BLUE: Web Traffic Filtering Project - Performance We would like to know…. 1. What are the performing advantages in this system that we should consider over any other similar system in the market? 2. How quickly this integrated system could run up at the beginning of each working day? 3. How many workstations could this system handle? 4. What is the possible down time in annual bases? 5. How many applications could simultaneously run before any indication of system slow down? Good questions
● SIEM (Security information and event management) ● Logging and event management ● Nodes refers to any software that creates log files that are collected by the SIEM software. Good questions
Scalability ● How many additional network nodes can be added? ● Is there a delay in logging if the number of nodes exceed a certain amount? ● How much additional storage capacity required per node? ● Will adding more nodes cost more money? (license restrictions) ● Is it open source? ● Does the interface support WANs? ● How in-depth can individual logs be accessed? (per computer, per software, ect.)
Firewall project RFP Usability Team Brown Mike Max Kowri Nahin
Questions Does this product require more than average technical knowledge in order to operate? Will there be any bottlenecking involved with the implementation of the 3 firewalls? Will it be easy to control the access permissions and privileges for user data travelling through the firewalls? How much throughput will the product be able to analyze before it starts dropping packets?
More Questions Will there be any connectivity complications involved with the different vendor products and because of the more complex network structure? Are we able to increase the number of SSL/VPN peer connections? Good questions although It is difficult to segregate Usability and performance For this sort of tools
Procurement management processes Administering procurement Define procedures and have them described in the RFP. Vendors must be aware about procedures The description must provide information about: Due date of responses submission Document format Delivery channels Contact information
Procurement management processes Closing procurement Having a vendor selected, focus on her performance Make deeper investigation of technical capabilities. Sometimes people conduct a Proof Of Concept project in order to understand things better Prepare a contract (legal document) Prepare technical specification and/or statement of work (SOW) Technical specification is provided to buy products “off the shelf” SOW is provided to buy services, such as Installation and configuration Training Development
SOW content SOW describes the content, terms, and conditions of the purchased (outsourced) service delivery This is some sort of initial project plan that shows the project milestones, critical human resources, and price