Re: Penetration Testing RFP Ideas

[Velislav K Pavlov <VelislavPavlov () FERRIS EDU>]

I recommend reading CREST 
https://www.crest-approved.org/wp-content/uploads/2014/11/PenTest-Procurement-Buyers-Guide.pdf. Email me if there is 
interest in seeing example RFP for internal, external pentest with phishing simulation. There is a difference between a 
pen test, vulnerability assessment, and risk assessment. 

Vel Pavlov | Coordinator, IT Security 
M.Sc. ISM, CISSP, C|HFI, C|EH, C)PTE, 
Security+, CNA, MPCS, ITILv3F, A+ 
VelPavlov () ferris edu



-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ruth 
Ginzberg
Sent: Tuesday, February 21, 2017 3:17 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Penetration Testing RFP Ideas

This message is from a mail system outside of Office 365

Procurement person here...

An RFP is a perfect vehicle to ensure that you don't get stuck taking a low-ball bid.

I'm not familiar with your state's requirements regarding competitive solicitations, but generally if you do a bid you 
need to take the lowest bidder, but if you do an RFP you get to do a qualitative evaluation of each proposal, and cost 
will be figured in only after you've determined that the proposer would meet your needs qualitatively.

Now putting on my InfoSec hat --

I think this is a pretty good article about hiring pen testers (MHO):

http://www.zdnet.com/article/10-things-you-need-to-know-before-hiring-penetration-testers/

You don't necessarily want to spell out in advance too terribly exactly what you want them to do -- because you want 
them to be able to "follow the footprints" as it were, not just execute a pre-determined script in order to check a box 
to say it's been done.  What you want is the result -- a full report outlining [whatever vulnerabilities you're testing 
for] and any others discovered along the way. You may or may not want remediation suggestions.

There definitely are ways to RFP for that -- contact your Procurement folks and ask them to work with you (they'll be 
thrilled) to develop such an RFP.  Basically, I think what you want is a results oriented, not a procedure-oriented, 
RFP.  You tell vendors what result you want; they tell you what they propose to do in order to get you there.  You 
evaluate what they propose to do.

Hope this helps!

Regards,


Ruth Ginzberg, CISSP, CTPS
Sr. I.T. Procurement Specialist
University of Wisconsin System
608-890-3961

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Justin 
Harwood
Sent: Tuesday, February 21, 2017 12:26 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Penetration Testing RFP Ideas

I was wanting to ask this community if there is anyone else in here that has written an RFP lately for 
internal/external penetration testing services? I’m looking for ideas on how I’m crafting out the document that lists 
out all the technical requirements and things I want to be considered in order to help decide the best vendor to 
choose?  What I’m looking for is ideas to ensure that I have enough information so that I don’t get a low-ball bid 
response and have to go with them if they aren’t a vendor we think meets our expectations/qualifications.

Thanks,

Justin

________________________________

This e-mail, including any attachments, is intended only for the addressee's use and may contain confidential and 
proprietary information. If you are not the intended recipient, you are hereby notified that any retention, 
dissemination, reproduction, or use of the information contained in this e-mail is strictly prohibited. If you have 
received this e-mail by error, please delete it and immediately notify the sender. Thank you for your cooperation.