Depending on the type of organization, procurement laws, mandates, and regulations may apply given the organization's jurisdiction. Most laws require that the U.S. federal government, state governments, county, and municipal governments purchase products or services especially in public bidding and procurement situations such as Invitation to Bids, Request for Proposals, or Request for Quotations. This is also true of the Canadian federal government and provincial governments within Canada. Most corporations, whether privately held or publicly traded, are not subject to procurement laws, mandates, or regulations. When purchasing professional services, be sure to work with your purchasing department to understand the purchasing and procurement procedures that must be followed when procuring professional services of any kind.
The following presents some terminology that the reader must become familiar with when dealing with purchasing or procurement of consulting services for conducting a risk and vulnerability assessment service.
- Letter of Understanding (LOU) This is an informal letter that is typically attached to a purchase order for procurement of services as described in the LOU. It is a nonbinding, noncontractual engagement letter that describes the tasks and deliverables and terms and conditions for the consulting engagement. The LOU is used by consulting firms and independent consultants who desire to work for clients in this nonbinding, noncontractual language style letter. The LOU typically generates a purchase order on which the LOU and the tasks and deliverables are clearly defined
- Invitation to Bid (ITB) This is a formal procurement document and procedure that solicits bids from consultants and vendors who desire to respond to the ITB. An ITB is typically required by law or mandate in certain states, provinces, counties, or municipalities that require a formal bid process to purchase products or services that exceed a certain dollar value. For example, an ITB may be required to procure products or services if the value is greater than $15,000.00 U.S.D or $15,000.00 C.D.
- Request for Information (RFI) An RFI is an excellent method for obtaining additional information, requirements, and tips for crafting a formal ITB or RFP document. The RFI is an excellent vehicle for asking technical and nontechnical questions of consultants and vendors to which the organization can learn from and craft a more detailed and specific ITB or RFP for the procurement of consulting services for conducting a risk and vulnerability assessment project. Creating and submitting an RFI is typically done in accordance with procurement laws, mandates, and regulations (if any). An RFI is merely a tool to ask technical and nontechnical questions to the consultant and vendor community pertaining to how best to approach a risk and vulnerability assessment for the organization. The answers to the RFI can then be reviewed and assimilated into the final requirements and description of the tasks and deliverables that are desired by the organization.
- Request for Quotation (RFQ) This is a formal procurement document and process that is typically used in situations where consultants or vendors are already on an approved consultant or vendor list for providing IT and IT security professional services. Many state, provincial, and county governments use the RFQ for purchasing and procuring products and services from existing state and county government contract vehicles. RFQs are then submitted to approved consultants and vendors for products and services that are already on the approved state, province, or county government bid list. Tasks and deliverables are provided in the RFQ and pricing is provided by adding the hourly rates for professional services from the state government and/or county government contracts for professional services. RFQs help streamline the procurement process and typically are used by state, provincial, and county governments when procuring products and services with state, provincial, and county-approved contract vehicles.
- Request for Proposal (RFP) This is typically the most expensive and time consuming of all the formal procurement procedures and is used for large-scale and high-dollar value purchases for products and services. An RFP is typically required by law or mandate for U.S. and Canadian federal government, state, and provincial governments, county governments, and municipal governments that require a formal bid process to purchase products or services that exceed a certain dollar value or that are large in scale and extend into more than one fiscal year. The RFP process typically follows a sequential procurement procedure as defined by federal, state, provincial, county, and municipality procurement laws, mandates, and regulations. This detailed process is what makes the RFP procurement process the most expensive and time consuming for an organization. These steps are described later in this appendix.
- Statement of Work (SOW) A statement of work document (SOW) is a document that defines the scope of work, tasks, and deliverables that are to be completed for the professional services engagement. A SOW must be clearly written and understood by both parties; it describes in detail what project tasks consist of and what project deliverables will be provided throughout the life of the project. An SOW can be attached to a purchase order for direct purchasing or can be inserted into a larger procurement document such as an LOU, ITB, RFQ, or RFP.
Introduction to Assessing Network Vulnerabilities
Foundations and Principles of Security
Why Risk Assessment
Scoping the Project
Understanding the Attacker
Performing the Assessment
Tools Used for Assessments and Evaluations
Preparing the Final Report
Appendix A. Security Assessment Resources
Appendix B. Security Assessment Forms
Appendix C. Security Assessment Sample Report
Appendix D. Dealing with Consultants and Outside Vendors
Appendix E. SIRT Team Report Format Template