Appendix D. Dealing with Consultants and Outside Vendors
After the decision has been made to conduct an internal risk and vulnerability assessment, deciding how to proceed and whether to conduct the risk and vulnerability assessment with internal resources or external resources is the next decision. Conducting a risk and vulnerability assessment with internal resources can be done by organizations that have the resources and skills needed to conduct an objective risk and vulnerability assessment. Using internal employees to conduct an internal risk and vulnerability assessment may result in prejudice and a nonobjective perspective when it comes to assessing and recommending specific remedies or courses of action to mitigate or remediate known risks, threats, and vulnerabilities. Conducting a risk and vulnerability assessment with an outside consultant or vendor will allow for an objective and unbiased assessment and recommendation.
This appendix provides an overview of how to procure outside consultants or vendors, what to include in the proposal or statement of work, and how to evaluate consultants and vendors who are responding to the proposal or statement of work to conduct a risk and vulnerability assessment on the organization's IT infrastructure and assets. This appendix provides the reader with an overview of the different procurement methods that can be utilized when contracting with an outside consultant or vendor. In addition, this appendix provides some useful tips and approaches to ensure that the outside consultant or vendor provides the tasks and deliverables as per the proposal or statement of work document.
Some organizations may want to hire a consultant to write the actual proposal or statement of work for conducting an objective risk and vulnerability assessment. In this case, the consultant should not be allowed to respond to the proposal or statement of work given that they have an unfair advantage because of their intimate familiarity with the IT infrastructure and assets. Other organizations will craft a proposal or statement of work and solicit proposal responses to make a sound business decision pertaining to the hiring of an outside consultant or vendor to perform the objective risk and vulnerability assessment. The creation of selection criteria for hiring an outside consultant is then evaluated so that a contract award can be made.
This appendix will focus on the later process in which organizations craft their own proposals and statement of work documents to solicit bids and proposal responses for conducting a risk and vulnerability assessment service offering.
Introduction to Assessing Network Vulnerabilities
- Introduction to Assessing Network Vulnerabilities
- What Security Is and Isnt
- Process for Assessing Risk
- Four Ways in Which You Can Respond to Risk
- Network Vulnerability Assessment
Foundations and Principles of Security
- Foundations and Principles of Security
- Basic Security Principles
- Security Requires Information Classification
- The Policy Framework
- The Role Authentication, Authorization, and Accountability Play in a Secure Organization
- Encryption
- Security and the Employee (Social Engineering)
Why Risk Assessment
- Why Risk Assessment
- Risk Terminology
- Laws, Mandates, and Regulations
- Risk Assessment Best Practices
- Understanding the IT Security Process
- The Goals and Objectives of a Risk Assessment
Risk-Assessment Methodologies
- Risk-Assessment Methodologies
- Risk-Assessment Terminology
- Quantitative and Qualitative Risk-Assessment Approaches
- Best Practices for Quantitative and Qualitative Risk Assessment
- Choosing the Best Risk-Assessment Approach
- Common Risk-Assessment Methodologies and Templates
Scoping the Project
- Scoping the Project
- Defining the Scope of the Assessment
- Reviewing Critical Systems and Information
- Compiling the Needed Documentation
- Making Sure You Are Ready to Begin
Understanding the Attacker
- Understanding the Attacker
- Who Are the Attackers?
- What Do Attackers Do?
- Reducing the Risk of an Attack
- How to Respond to an Attack
Performing the Assessment
- Performing the Assessment
- Introducing the Assessment Process
- Level I Assessments
- Level II Assessments
- Level III Assessments
Tools Used for Assessments and Evaluations
- Tools Used for Assessments and Evaluations
- A Brief History of Security Tools
- Putting Together a Toolkit
- Determining What Tools to Use
Preparing the Final Report
- Preparing the Final Report
- Preparing for Analysis
- Ranking Your Findings
- Building the Final Report
- Contents of a Good Report
- Determining the Next Step
- Audit and Compliance
Post-Assessment Activities
- Post-Assessment Activities
- IT Security Architecture and Framework
- Roles, Responsibilities, and Accountabilities
- Security Incident Response Team (SIRT)
- Vulnerability Management
- Training IT Staff and End Users
Appendix A. Security Assessment Resources
Appendix B. Security Assessment Forms
- Information Request Form
- Document Tracking Form
- Critical Systems and Information Forms
- Level II Assessment Forms
Appendix C. Security Assessment Sample Report
- Appendix C. Security Assessment Sample Report
- Notice
- Executive Summary
- Statement of Work
- Analysis
- Recommendations
- Conclusions
Appendix D. Dealing with Consultants and Outside Vendors
- Appendix D. Dealing with Consultants and Outside Vendors
- Procurement Terminology
- Typical RFP Procurement Steps
- Procurement Best Practices
Appendix E. SIRT Team Report Format Template
EAN: 2147483647
Pages: 138
