Request For Proposal Guidelines
Clients choosing to produce a Request For Proposal (RFP) for security testing services, may want to consider the following aspects when composing a RFP for distribution to potential internet security testing service providers.
Introduction and Background
Purpose of the Request for Proposal
This allows the client to give an overview of their business and to define the purpose of the RFP, such as:
‘Acme Corporation’ is an Internet Service Provider that provides ‘Coyote Services’ with their internet facing infrastructure and web applications hosting environment.
‘Coyote Services’ is interested in conducting an internet security assessment that will allow the company to find any potential network and web application security vulnerabilities that may present a risk to the organisation or their investment in infrastructure and web applications.
These activities are part of ‘Coyote Services’ ongoing risk management program and are focused on identifying the risk level ‘Coyote Services’ is now exposed to so that an appropriate set of responses to identified threats and risk management controls can be developed and deployed.
‘Acme Corporation’ is seeking to find and select an independent organization to do the activities identified in this RFP. The rest of this document provides more information that will allow an internet security testing service provider to understand the scope and develop a proposal to satisfy this need.
‘Acme Corporation’ requires a fully costed proposal to fulfill the security assessment and penetration testing requirements specified in this document.
For the purposes of the information contained in this document, the ‘Coyote Services’ internet estate is hosted at a ‘Acme Corporation’ data centre in ‘Raintree County’.
‘Acme Corporation’ Technical Contact
Any questions about the technical specifications or statement of work requirements in the first instance should be directed to:
- Name Technical Authority
- Address Technical Authority Address
- Telephone 0011223344
- Email [email protected]
‘Acme Corporation’ Contractual Contact
Any questions about contractual terms and conditions or proposal format should be directed to:
- Name Business Representative
- Address Business Representative Address
- Telephone 0055667788
- Email [email protected]
A written confirmation of the supplier’s intent to respond to this RFP is required by DD/MM/YY, all proposals are due by DD/MM/YY. Any proposal received after the required date specified for receipt shall be considered late and non-responsive; any late proposals will not be evaluated for award.
Schedule of Events
- DD/MM/YY RFP distribution to supplier’s.
- DD/MM/YY Written confirmation from supplier’s with bid intention.
- DD/MM/YY Questions from supplier’s about scope.
- DD/MM/YY Responses to supplier’s about scope.
- DD/MM/YY Proposal due date.
- DD/MM/YY Target date for review of proposals.
- DD/MM/YY Anticipated decision and choice of supplier.
- DD/MM/YY Anticipated commencement date of work.
Guidelines for Proposal Preparation
Award of the contract resulting from this RFP will be based upon the most responsive supplier whose offer will be the most helpful to ‘Acme Corporation’ in terms of cost, functionality, and other factors as specified elsewhere in this RFP.
‘Acme Corporation’ reserves the right to:
- Reject any or all offers and stop this process without obligation or liability to any potential supplier.
- Consider factors other than lowest cost when deciding the supplier appointment.
- Award a contract on the basis of first offers received, without further discussion.
The supplier’s proposal should be submitted with the information defined below. The supplier will confine their submission to be enough to define its proposal and to give an adequate basis for ‘Acme Corporation’ to check the proposal.
The supplier’s proposal in response to this RFP will be incorporated into the final contractual agreement between ‘Acme Corporation’ and the selected supplier. The submitted proposals should include the following information:
- Management summary
- Approach and method
- Project deliverables
- Project management
- Detailed and itemised pricing
- Appendix: Project team
- Appendix: Company overview
The detailed requirements for the sections above are outlined below.
Detailed Response Requirements
This section should present a high level view of the supplier’s response to the RFP. The management summary should be a brief overview of the engagement, and should show the main features and benefits of the proposed work.
Approach and Methodology
This section should include detailed testing procedures for the testing which will be undertaken. The proposal should show the sections listed below:
- Internet Network Security Testing.
- Web Application Security Testing.
This section should include descriptions of the type of report used to summarise and give detailed information on security risks, vulnerabilities and the recommended remedial actions.
The supplier should include sample reports as attachments to the proposal to give an example of the types of reports that will be provided for this engagement.
This section should include the method and approach used to manage the overall project and client handling. Briefly describe how the engagement will go ahead from start to finish.
Detailed and Itemised Pricing
This section should include a price breakdown by project phase and include estimates of any incurred expenses.
Appendix: Project Team
This section should include the CV’s and description of the relevant experience of the staff that would be assigned to this project. The supplier should confirm whether the identified staff are full-time employees of the organisation or if they intend to sub-contract any or all the work to a third-party.
Appendix: Company Overview
This section should include the following details about the supplier:
- Official registered name, address, main telephone number.
- Key contact name, title, address (if different from above address), direct telephone number and email address.
- Person authorised to contractually bind the organisation for any proposal submitted against this RFP.
- Brief history, including year established and number of years experience in the information security testing industry.
Proposal Evaluation Factors
Any award made in regard to this RFP will be based upon the received proposal with proper consideration given to operational, technical, cost and management requirements. Evaluation of offers will be based on the supplier’s responsiveness to the RFP and the total price quoted for all items covered by the RFP.
The following elements will be the primary considerations in evaluating all submitted proposals and in the selection of a supplier:
- Completion of all requested responses in the correct format.
- The extent to which supplier’s proposal fulfills the stated requirements as set out in this RFP.
- An assessment of the supplier’s ability to deliver the indicated service in accordance with the specifications set out in this RFP.
- The supplier’s stability, experience and record of past performance in delivering security testing services.
- Availability of enough high quality supplier staff with the required skills and experience for the specific approach proposed.
- Overall cost of supplier’s proposal.
‘Acme Corporation’ may at their discretion and without explanation to the supplier’s, at any time choose to stop this RFP without obligation to any prospective supplier’s.
Scope of Work
The following information should be used to determine the scope of this project and give pricing for this engagement:
Internet Network Security Testing
- Subnet Address (eg 10.0.0.0/8 172.16.0.0/16 192.168.0.0/24)
The contracted supplier will be required to name the software tools and to describe the method they will use to do the network security testing.
Web Application Security Testing
- Name, URL and description of each application to be assessed.
- Approximate number of user supplied input pages for each application.
- Number of user roles / privilege levels for each application.
The contracted supplier will be required to name the software tools and to describe the method they will use to do the web application security testing.
At the conclusion of the assessment, ‘Acme Corporation’ requires written documentation of the approach, findings and recommendations associated with this project in both PDF and MS-Word formats. The documentation should consist of the following information delivered within two weeks of the completion of testing:
A section produced to summarise the scope, approach, findings and recommendations in a way suitable for senior management. This section should include.
- Scope of testing detailing the work performed including the subnets and web applications tested.
- Management summary containing a high level explanation of identified issues and an associated risk rating e.g. high, medium or low for each issue.
Detailed Technical Report
A document developed for the use of ‘Acme Corporation’ technical staff which discusses the method employed, detailed technical vulnerability findings, an assignment of a risk rating for identified vulnerabilities and detailed technical remedial procedures. This section should include:
- Technical summary identifying the issues, affected hosts and web applications and the CVSS metric where appropriate.
- Detailed findings containing a detailed explanation of the recommended remedial action for each identified issue.
The contracted supplier will also supply ‘Acme Corporation’ with the following information:
- Network port scanning results, e.g. in the form of Nmap files (.nmap, .gnmap, .xml)
- Network vulnerability scanning results, e.g. in the form of Nessus files (.nessus)
- Web Application scanner results, e.g. in the form of ZAP proxy output.
Indimon Internet Services
Indimon Internet Services considers the RFP to be a valuable part of the security testing process as it provides the means for the client to accurately determine their security testing requirements. The received proposals can then be compared against the identified requirements to aid the client in determining the most appropriate security testing service provider.