Project Management Methodology Procurement management Procurement Management Purchasing Hardware Software Vendor Services Consulting Services Outsourcing development Training Services Maintenance Documents Contract Specification Statement Of Work Procurement management processes Processes Planning Conducting procurement Administering Closing Procurement can be organized as a subproject Procurement management processes Planning Initial market research Decide about what to buy Preliminary cost estimation Make short list of vendors (2 to 5 names) Procurement management processes Conducting procurement Request For Proposals (RFP) sent out to vendors RFP must reflect critical requirements, both functional and non-functional. It must enable vendor evaluation, otherwise it will be useless Respectively, evaluation criteria must be defined (do not send them to vendors) Collect responses Responses review and evaluation Communicate to vendors Select a vendor Generic RFP structure RFP set of criteria should reflect: Management approach – 30% Technical approach – 30% Past performance – 20% Price – 20% Weights are assigned in order to facilitate responses evaluation Management approach and past performance groups of criteria most probably exist, when technical approach must be developed for each project specifically Technical part of RFP The following must be addressed Functional capabilities - Yellow Platform solution - Red Open architecture - Orange Security - Green Performance - Blue Scalability - Purple Usability (ease of use) - TBrown Technical Part of RFP – Functional capabilities Two-factor authentication Team Yellow Snake Questions to ask our Vendors What authentication factors/forms does your product support? What directory services does your product integrate with? Where is your product currently deployed? Does your product support federated user authentication? What federated user authentication protocols does your product support? Functional Capabilities Do you offer 24/7 technical support? What Data and transport encryption protocols does the product support? Comments The questions are good and relevant, except of one re the product deployment. This one is better to locate at the section that requests about the company experience Anti-virus RFP Platform solution Team Red Questions Current Solutions for: Licenses Linux Server Windows Workstation Comments: First group is fine but Others are not relevant to The topic. Better choice Would be to ask about Plans for the future Type of licenses Number of computers per license Effectiveness - % of malware protection Maintenance – updates and patches Support Interaction with other software? THE GREEN TEAM IPS Security Adam, Liane, Paul, Matt Questions to the vendor It’s not easy being Questions Questions are good re Security. Not all are Relevant to IPS 1. Does your product allow for remote access/administration? 2. What are your terms when it comes to ownership of data (cloud)? 3. Do third parties conduct security assessments on your products? Questions Cont’d 4. Does your product store data unencrypted? 5. Do you review security at each phase during the software development cycle? 6. What methodologies do you use for testing your products’ security? Questions Cont’d 7. Do you delete data once requested by the customer? 8. Do you have a privacy policy, if so, what is it? 9. What are the vendors’ security certifications? Questions Cont’d 10. What are your disaster recovery plans? 11. What are your risk mitigation strategies? 12. How are the end users alerted to new updates? Questions Cont’d 13. What kind of authentication controls are built into the product? 14. How is your application team educated in current application security risks? 15. What is your process for notifying customers of security problems and the solutions? TEAM BLUE: Web Traffic Filtering Project - Performance We would like to know…. 1. What are the performing advantages in this system that we should consider over any other similar system in the market? 2. How quickly this integrated system could run up at the beginning of each working day? 3. How many workstations could this system handle? 4. What is the possible down time in annual bases? 5. How many applications could simultaneously run before any indication of system slow down? Good questions RFP SIEM Scalability Scalability ● ● ● Good questions SIEM (Security information and event management) Logging and event management Nodes refers to any software that creates log files that are collected by the SIEM software. How many additional network nodes can be added? Scalability ●Is there a delay in logging if the number of nodes exceed a certain amount? ●How much additional storage capacity required per node? ●Will adding more nodes cost more money? (license restrictions) ●Is it open source? ●Does the interface support WANs? ●How in-depth can individual logs be accessed? (per computer, per software, ● Firewall project RFP Usability Team Brown Mike Max Kowri Nahin Questions Does this product require more than average technical knowledge in order to operate? Will there be any bottlenecking involved with the implementation of the 3 firewalls? Will it be easy to control the access permissions and privileges for user data travelling through the firewalls? How much throughput will the product be able to analyze before it starts dropping packets? More Questions Good questions although It is difficult to segregate Usability and performance For this sort of tools Will there be any connectivity complications involved with the different vendor products and because of the more complex network structure? Are we able to increase the number of SSL/VPN peer connections? Procurement management processes Administering procurement Define procedures and have them described in the RFP. Vendors must be aware about procedures The description must provide information about: Due date of responses submission Document format Delivery channels Contact information Procurement management processes Closing procurement Having a vendor selected, focus on her performance Make deeper investigation of technical capabilities. Sometimes people conduct a Proof Of Concept project in order to understand things better Prepare a contract (legal document) Prepare technical specification and/or statement of work (SOW) Technical specification is provided to buy products “off the shelf” SOW is provided to buy services, such as Installation and configuration Training Development SOW content SOW describes the content, terms, and conditions of the purchased (outsourced) service delivery This is some sort of initial project plan that shows the project milestones, critical human resources, and price