Vendor Selection

Vendor Selection

Before drafting and issuing an RFP

1. Determine business process(es) impacted by the new product/ system/ application/ process
2. Determine type and sensitivity of data impacted
3. Determine the availability requirement for the new product/ system/ application and related processes.
4. Assess risk of the product /system/ application/ process (If applicable)
5. If data impacted is sensitive or specifically protected by state and federal laws (If not, a general security requirements boilerplate provided by the institution Office of General Counsel should be adequate)
   1. Determine the information security requirements needed to safeguard the data (regardless of hosting location)
6. If the system/ application/process is developed, outsourced and/or hosted at a third-party's location
   1. Determine requirements needed to limit access and safeguard data transmission, storage, and retention
7. Determine if an RFP is required or desired for the procurement

During draft and review of RFP

1. Incorporate requirements identified in Item 1.e and 1.f in the RFP and in the copy of the institution's Agreement included in the RFP.
   

After issuing the RFP and/or Vendor Evaluation

1. Identify the office, team or individual(s) responsible for reviewing and assessing vendor answers to the information security questions included in the RFP response.
2. Review vendor answers provided in RFP response. Explanations should be specific and describe procedures and/or products used to meet the requirements
   1. Identify questions and/or requirements that need further clarification or answers that do not meet requirements.
   2. Follow up with vendor through email or conference call - as long as it is documented - regarding items identified
   3. If applicable, request a product trial to test product functionality and security features
3. If the system/ process/ application is outsourced or hosted at a third-party location
   1. Assess the risk of using the finalist third-party vendor. This may be done by requiring finalist vendors to complete a third-party information security assessment survey, or by other risk assessment processes such as a site inspection.
   2. Call vendor references and discuss the completed vendor survey to assess if there is evidence of non-performance at other clients sites
4. Identify areas needing mitigation and required cure and include them as language in final agreement and/or statement of work.
   

Questions or comments? Contact us.

Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).