Tech Time: Building Security Into Your RFPs
“An ounce of prevention is worth a pound of cure.” – Ben Franklin
“Moving forward with new systems.” “Replacing legacy programs with newer more capable programs.” Ask credit union management what’s on their plate for the upcoming year, and quite a few will mention those items. What about investing the time (and patience) to draft effective requests for proposals? When it’s not a regular task for the credit union, it can be easy to miss out on including security-related items for RFPs. In this article, we’ll review ways to make your RFPs more security-conscious.
As a first step: Before writing RFPs, your credit union should create a framework (a policy and standards) to use when generating RFPs. The goal of this framework should be allowing the credit union to ensure that optimal value from expenditures/investments is created at affordable costs within acceptable risk tolerances. This enterprise-level framework also ensures RFPs are uniform and consistent across the credit union.
Another aspect of the framework should be guidance on the structure and requirements for developing business cases and RFPs; this ensures information security, audit, vendor management, IT and other operational area needs are addressed. As an example, consider your internal audit department. At some point after a system is up and running—like an accounting, collections or payroll system—you will probably complete an audit to confirm things are performing as they should. With input during the building of the software RFP, your audit folks can see to it that necessary audit capabilities are built into the system rather than trying to bolt them on afterwards. Also, audit personnel’s familiarity with external audit practices and standards (i.e., SSAE-18, SOC-1, SOC-2) allows them to note in the RFP where access to these items may be appropriate.
Your framework should also define which credit union policies need to be examined to ensure that what is asked for from the vendor complies with those policies and standards. Examples of policies and standards to review include:
- information security,
- risk management,
- information retention and destruction,
- business continuity, and
- data classification.
Another important aspect of getting better security information from RFP responses is to ask questions generating narrative answers. In other words, ask questions requiring more than just a simple yes or no. For example:
|Does the system encrypt usernames and passwords?||What system is used to encrypt usernames and passwords?|
|Who is responsible for…||Please provide a RACI matrix outlining duties and obligations for…|
In the last of the above examples, a number of different organizations are noted with respect to standards and best practices. While researching the new system, the credit union should examine what standards or best practices may be helpful or applicable to the new system. This can be particularly important if the credit union has not recently examined or is not overly familiar with the area covered by the RFP. The credit union can use the standards documentation to better understand what will be required of the system and then develop narrative-answer questions. For example, a credit union that relies on outsourced IT services may find change/configuration management standards and best practice documents a valuable resource to generate “better” questions on how system or software changes are handled by prospective vendors.
Additionally, make sure the RFP process includes examining costs and security needs for the entire life of the product (purchase, implementation, ongoing use, and retirement). It’s just as important to understand costs and security issues related to the retirement or disposal of a system as it is for purchase and implementation.
While not something actually written into RFPs, it is also important that the credit union establish guidelines for what or how it will handle policy exceptions in a vendor’s response. While you hope vendors will be able to provide products meeting all your needs and complying with all your policies, that often isn’t the case. To prepare for those instances, the credit union should, beforehand, determine how it will handle policy exceptions and what exception limits it will use for go/no-go decisions.
Credit unions operate in an increasingly security-conscious world; taking extra time to develop and write security-conscious RFPs can help ensure selected vendors and systems meet ongoing security needs.
Jim Benlein, CISA, CISM, CRISC, owns KGS Consulting LLC, Silverdale, Wash., and offers insight to CUs on information technology governance, information security and technology risk management.