When selecting a Managed Security Service Provider (MSSP) through a Request for Proposal (RFP) process, how can educational institutions ensure they select the right MSSP to meet their cybersecurity needs?
In this blog post, we’ll guide you through our 10-point cybersecurity RFP checklist so you can ensure the best outcome from your RFP process. By following this checklist, educational institutions can be confident their receiving proposals that meet their unique cybersecurity needs.
1. Include Technical Requirements
Including technical components such as ISO-27000 certifications and SOC2-type 2 certifications in an RFP for cybersecurity services is important because it ensures that the responses you receive will be from qualified, certified and experienced organizations.
Including these certifications in an RFP sets clear expectations for vendors and ensures that they are aware of the specific requirements that must be met.
Additionally, including technical components such as these certifications in an RFP can help reduce the risk of security breaches or other cyber threats by ensuring that the selected vendor has the necessary expertise, training, and experience to manage cybersecurity risks effectively.
2. Set Clear Incident Response Time Requirements
Setting response times on different cybersecurity incident levels within an RFP is important for establishing clear expectations for how quickly an MSSP must respond to different types of cybersecurity incidents. This eliminates delays in the event of an incident and helps mitigate the risk of the incident.
In the event of a cybersecurity incident, time is of the essence. The longer it takes to respond, the more potential damage can be done. By setting response times on different cybersecurity incident levels, an organization can help reduce downtime and minimize the impact of a cybersecurity incident.
3. Request Local Resources
Local resources are typically able to respond more quickly to cybersecurity incidents, as they are physically closer to the organization. This can help minimize the impact of any incidents and reduce downtime.
If your educational institution is unionized, you have very specific working hours that must be followed. Selecting a vendor with local resources can help with scheduling meetings and maintenance and ensuring 24/7 coverage.
Additionally, local SOC resources are likely to be familiar with local regulations and compliance requirements, which can be important for ensuring that the organization remains compliant with applicable laws and regulations.
4. Request Solely Microsoft Focused Vendor Responses
Microsoft-focused MSSP will have a deeper understanding of the Microsoft Security ecosystem and the organization’s technology platform and will be better equipped to address any potential vulnerabilities or threats. Working with an MSSP that has a strong focus on Microsoft can provide a higher level of expertise and ensure that the organization’s complex cybersecurity needs are fully met.
A Microsoft-focused MSSP, like Difenda, can ensure that the organization’s security infrastructure is fully integrated with its Microsoft technologies, which can help improve the efficiency and effectiveness of its security operations.
How can you tell? Look for these two badges to ensure your MSSP is capable and qualified to manage your systems: The MISA Microsoft Verified Managed XDR Solution badge and the Microsoft Solutions Partner for Security badge.
5. Establish A Realistic Timeline
It can take 6-9 months to undergo the RFP process. A realistic timeline sets expectations for all parties involved in the RFP process, including the organization submitting the RFP, potential vendors, and other stakeholders. This can help avoid misunderstandings and ensure that all parties are aligned on the expectations for the project.
A realistic timeline can increase the likelihood of a successful project outcome. This includes selecting a vendor that best meets the organization’s needs and ensuring that there is adequate time for planning and implementation.
6. Be Specific With Your Contract Data Requirement List (CDRL)
A CDRL is a list of required deliverables that the contractor must provide during the course of the project. Being specific in the CDRL helps to clearly define what the organization expects to receive from the security vendor, which reduces the risk of misunderstandings and reduces the risk of delays or issues during the project.
A specific CDRL makes it easier to evaluate proposals from different vendors. Each vendor will be evaluated based on their ability to meet the specific requirements outlined in the CDRL, which helps to ensure a fair and objective evaluation process.
7. Ask For Clarity on Your Time and Personnel Requirements
Clarifying internal staffing support needed and time requirements needed for onboarding and/or management are critical to ensure that the organization has the right level and type of staffing needed to complete the project on time. Personnel requirements can specify the skill sets and experience levels required for the project. This can help to identify potential staffing issues before they become problems.
8. Clarify Your Storage Standards
Data storage is often subject to legal, regulatory, and compliance requirements. By clarifying the MSSP’s storage standards whether in the cloud or on-premises, your school can ensure that the MSSP is compliant with all applicable requirements, such as HIPAA, GDPR, or other regulations.
In addition, one of the major challenges for the education sector is enabling staff and students with open-access data. Clarifying storage standards can help determine the accessibility of data and what precautions will be in place to protect it.
9. Keep Your Business Issue in Mind
The purpose of selecting an MSSP and developing a new security solution is to provide your end users with technical capabilities that solve a business issue. To ensure that the proposals you receive answer your business needs you must make clear reference to those issues in your RFP.
By outlining and identifying the most critical issues that need to be addressed within your program, you enable vendors to provide you with solutions that will maximize ROI and ensure a successful outcome.
10. Secure Upper Management Buy-In and Funding Before You Start
When looking at cybersecurity solutions funding sometimes goes beyond the initial purchase. Depending on the model, you may have annual subscription fees after the initial implementation and setup. Or there could be maintenance and upgrade fees you need to consider down the line.
Securing upper management buy-in and funding before creating your RFP shows that the organization’s leadership supports the initiative. Which can help build confidence in the project and encourage participation from stakeholders.
But it also ensures that there is a budget available to cover the costs associated with the RFP process and any subsequent cybersecurity services that may be required.