Educause Security Discussion mailing list archives
Re: Penetration Testing RFP Ideas
From: Velislav K Pavlov <VelislavPavlov () FERRIS EDU>
Date: Thu, 23 Feb 2017 17:46:11 +0000
I recommend reading CREST https://www.crest-approved.org/wp-content/uploads/2014/11/PenTest-Procurement-Buyers-Guide.pdf. Email me if there is interest in seeing example RFP for internal, external pentest with phishing simulation. There is a difference between a pen test, vulnerability assessment, and risk assessment. Vel Pavlov | Coordinator, IT Security M.Sc. ISM, CISSP, C|HFI, C|EH, C)PTE, Security+, CNA, MPCS, ITILv3F, A+ VelPavlov () ferris edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ruth Ginzberg Sent: Tuesday, February 21, 2017 3:17 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Penetration Testing RFP Ideas This message is from a mail system outside of Office 365 Procurement person here... An RFP is a perfect vehicle to ensure that you don't get stuck taking a low-ball bid. I'm not familiar with your state's requirements regarding competitive solicitations, but generally if you do a bid you need to take the lowest bidder, but if you do an RFP you get to do a qualitative evaluation of each proposal, and cost will be figured in only after you've determined that the proposer would meet your needs qualitatively. Now putting on my InfoSec hat -- I think this is a pretty good article about hiring pen testers (MHO): http://www.zdnet.com/article/10-things-you-need-to-know-before-hiring-penetration-testers/ You don't necessarily want to spell out in advance too terribly exactly what you want them to do -- because you want them to be able to "follow the footprints" as it were, not just execute a pre-determined script in order to check a box to say it's been done. What you want is the result -- a full report outlining [whatever vulnerabilities you're testing for] and any others discovered along the way. You may or may not want remediation suggestions. There definitely are ways to RFP for that -- contact your Procurement folks and ask them to work with you (they'll be thrilled) to develop such an RFP. Basically, I think what you want is a results oriented, not a procedure-oriented, RFP. You tell vendors what result you want; they tell you what they propose to do in order to get you there. You evaluate what they propose to do. Hope this helps! Regards, Ruth Ginzberg, CISSP, CTPS Sr. I.T. Procurement Specialist University of Wisconsin System 608-890-3961 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Justin Harwood Sent: Tuesday, February 21, 2017 12:26 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Penetration Testing RFP Ideas I was wanting to ask this community if there is anyone else in here that has written an RFP lately for internal/external penetration testing services? I’m looking for ideas on how I’m crafting out the document that lists out all the technical requirements and things I want to be considered in order to help decide the best vendor to choose? What I’m looking for is ideas to ensure that I have enough information so that I don’t get a low-ball bid response and have to go with them if they aren’t a vendor we think meets our expectations/qualifications. Thanks, Justin ________________________________ This e-mail, including any attachments, is intended only for the addressee's use and may contain confidential and proprietary information. If you are not the intended recipient, you are hereby notified that any retention, dissemination, reproduction, or use of the information contained in this e-mail is strictly prohibited. If you have received this e-mail by error, please delete it and immediately notify the sender. Thank you for your cooperation.
Current thread:
- Penetration Testing RFP Ideas Justin Harwood (Feb 21)
- Re: Penetration Testing RFP Ideas Penn, Blake C (Feb 21)
- Re: Penetration Testing RFP Ideas Ruth Ginzberg (Feb 21)
- Re: Penetration Testing RFP Ideas Velislav K Pavlov (Feb 23)
- <Possible follow-ups>
- Re: Penetration Testing RFP Ideas Brad Judy (Feb 21)