Procuring the services of an outside consulting firm or vendor to conduct an objective risk and vulnerability assessment is not an easy task. This is especially true if the assessment is to be intrusive or nonintrusive.
Many organizations desire a rigorous risk and vulnerability assessment that includes the use of tools to find and uncover risks, threats, and vulnerabilities on a production network. This type of intrusive assessment means that the assessor will utilize tools and monitor the IT infrastructure during production hours when tests will be conducted. Some organizations demand that a nonintrusive risk and vulnerability assessment be conducted given the sensitivity and nature of their production systems and environments. In most cases, risks, threats, and vulnerabilities can be identified through careful examination of the IT infrastructure physically, logically, and on-site at the organization's data center and facilities.
When purchasing the outside services of an objective, independent consultant or vendor company to conduct a risk and vulnerability assessment, consider these best practices:
- Make sure the consultant or vendor company does not sell or represent any hardware or software products. This may bias their assessment and recommendations. One way to eliminate any bias is to disqualify the consultant or vendor selected for the risk and vulnerability assessment from selling any hardware or software products that may be recommended for securing the organization's IT infrastructure and assets.
- Objectivity can best be obtained by hiring a consultant or vendor company that is independent and that does not resell or represent any products of any kind. Many organizations make it an RFP mandatory minimum requirement that the consulting firm be only a consulting firm and not a reseller of products and services.
- Obtain and check at least three past performance references from the consultant or vendor company and ask them how their risk and vulnerability assessment project was using the consultant or vendor company.
- Define the Statement of Work's tasks and deliverables very succinctly and specifically within the RFP document itself. This way the purchasing organization knows exactly what it is buying and what it wants from the risk and vulnerability assessment.
- Define and map the goals and objectives for conducting the risk and vulnerability assessment to the organization's business drivers. This will ensure that the results of the risk and vulnerability assessment can be used to build a business case for enhancing the security of the IT infrastructure throughout the organization.
- Ask the consultant or vendors in the RFP response section to describe their understanding of the project, their approach to conducting the risk and vulnerability assessment, and how much time and resource support from the organization they are going to need to fulfill the tasks and deliverables. The consultants or vendor's response to these questions will clearly identify whether the consultant or vendor understands the situation and how they will approach the project. If the consultant or vendor company requires a significant amount of the organization's IT and IT security resources, that may not fall favorably with the RFP evaluation, especially if there is minimal IT and IT security staff. Obviously, the purchasing organization has to make a resource commitment for this type of project to be pursued. Risk and vulnerability assessments require extensive interviewing of personnel, collection and review of IT infrastructure, and asset documentation; access to systems and assets throughout the IT infrastructure must either be granted or performed by the organization's IT staff in the presence of the consultant or vendor company conducting the risk and vulnerability assessment service.
- Create and define the selection criteria and RFP evaluation point system up front, especially if there is no need to do so in a nonpublic procurement procedure. This is important to do so that objectivity in the evaluation of the RFP is methodical and unbiased.
- Ask the consultant or vendor for a 100% performance guarantee for the tasks and deliverables associated with the risk and vulnerability assessment service. This is important to obtain if you quite simply don't trust the consultant or vendor company. There are some consultants and vendor companies that will provide a 100% performance guarantee. It is not a guarantee for repayment, but rather a guarantee that the consulting firm or vendor company will redo any task or deliverable at its cost if the organization is not completely satisfied with the deliverable.
- Obtain the resumes of the actual people on the risk and vulnerability assessment project team. These individuals should be proficient in the IT systems and environment that is to be assessed. They should have proper training and professional certifications in the information security field, such as CISSP or GIAC, and the technical writing and documentation deliverables of these individuals should be reviewed. It does not hurt to ask the consultant or vendor company for writing samples to review as part of the evaluation.
- Negotiate favorable rates and delay payments to the consultant or vendor company until project deliverables are submitted and accepted. Delaying payments upon delivery and acceptance of the project's deliverables minimizes any potential problems or risk that the consultant or vendor company did not perform to the organization's satisfaction
- Implement a fixed-fee, not-to-exceed maximum contract value for the tasks and deliverables as stated in the LOU, RFQ, RFP, or SoW. This protects the organization from any unknowns or outside-the-scope-of-work issues that may arise. Typically, the consultant or vendor company must submit a Change in Scope Acceptance form that describes any new tasks or deliverables that are required after the project commences. This Change in Scope Acceptance form protects both the consultant or vendor company and the organization from any project unknowns, overages, or unauthorized hours for tasks and deliverables that are not officially approved.
- Specify the desired format and sections of the project deliverables in the LOU, RFQ, RFP, or SOW. For example, always ask for an Executive Summary, Project Approach Section, Summary of Findings, Assessment, and Recommendations. This will assist in the communication and delivery of the recommendations to the organization's executive management team. This will allow the organization to pull from the deliverables information and data needed to create executive management presentations and reports to make sound business decisions.
In summary, dealing with consultants and vendor companies can be a tedious and unpleasant experience, especially if you are being sold something, rather than finding a solutions partner. For risk and vulnerability assessments, use of independent or small consulting firms may provide you with the necessary technical and security expertise at a much lower cost. Use of a large consulting firm or vendor company may not be the most cost-effective, but may provide more experience and project references.
The personality of the organization should match the personality of the consultant or vendor company in that the consultant's or vendor's understanding of the project, approach to the project, and style for working with the organization are also factors to consider when selecting an outside consultant or vendor company. The most important evaluation element to consider for hiring an outside consultant or vendor company is how that consultant or vendor reiterates the understanding of the project and their approach for handling the risk and vulnerability assessment.
The consultant's or vendor's ability to articulate this as well as map the project's tasks and deliverables to their approach to the project should be evaluated carefully for relevance to the organization's ultimate project goals and objectives. This is the most important criteria to review and evaluate when selecting an outside consultant or vendor company to perform a risk and vulnerability assessment.