Appendix D. Dealing with Consultants and Outside Vendors

After the decision has been made to conduct an internal risk and vulnerability assessment, deciding how to proceed and whether to conduct the risk and vulnerability assessment with internal resources or external resources is the next decision. Conducting a risk and vulnerability assessment with internal resources can be done by organizations that have the resources and skills needed to conduct an objective risk and vulnerability assessment. Using internal employees to conduct an internal risk and vulnerability assessment may result in prejudice and a nonobjective perspective when it comes to assessing and recommending specific remedies or courses of action to mitigate or remediate known risks, threats, and vulnerabilities. Conducting a risk and vulnerability assessment with an outside consultant or vendor will allow for an objective and unbiased assessment and recommendation.

This appendix provides an overview of how to procure outside consultants or vendors, what to include in the proposal or statement of work, and how to evaluate consultants and vendors who are responding to the proposal or statement of work to conduct a risk and vulnerability assessment on the organization's IT infrastructure and assets. This appendix provides the reader with an overview of the different procurement methods that can be utilized when contracting with an outside consultant or vendor. In addition, this appendix provides some useful tips and approaches to ensure that the outside consultant or vendor provides the tasks and deliverables as per the proposal or statement of work document.

Some organizations may want to hire a consultant to write the actual proposal or statement of work for conducting an objective risk and vulnerability assessment. In this case, the consultant should not be allowed to respond to the proposal or statement of work given that they have an unfair advantage because of their intimate familiarity with the IT infrastructure and assets. Other organizations will craft a proposal or statement of work and solicit proposal responses to make a sound business decision pertaining to the hiring of an outside consultant or vendor to perform the objective risk and vulnerability assessment. The creation of selection criteria for hiring an outside consultant is then evaluated so that a contract award can be made.

This appendix will focus on the later process in which organizations craft their own proposals and statement of work documents to solicit bids and proposal responses for conducting a risk and vulnerability assessment service offering.

Introduction to Assessing Network Vulnerabilities

Foundations and Principles of Security

Why Risk Assessment

Risk-Assessment Methodologies

Scoping the Project

Understanding the Attacker

Performing the Assessment

Tools Used for Assessments and Evaluations

Preparing the Final Report

Post-Assessment Activities

Appendix A. Security Assessment Resources

Appendix B. Security Assessment Forms

Appendix C. Security Assessment Sample Report

Appendix D. Dealing with Consultants and Outside Vendors

Appendix E. SIRT Team Report Format Template



Inside Network Security Assessment. Guarding your IT Infrastructure
Inside Network Security Assessment: Guarding Your IT Infrastructure
ISBN: 0672328097
EAN: 2147483647
Year: 2003
Pages: 138

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net