Appendix D. Dealing with Consultants and Outside Vendors
After the decision has been made to conduct an internal risk and vulnerability assessment, deciding how to proceed and whether to conduct the risk and vulnerability assessment with internal resources or external resources is the next decision. Conducting a risk and vulnerability assessment with internal resources can be done by organizations that have the resources and skills needed to conduct an objective risk and vulnerability assessment. Using internal employees to conduct an internal risk and vulnerability assessment may result in prejudice and a nonobjective perspective when it comes to assessing and recommending specific remedies or courses of action to mitigate or remediate known risks, threats, and vulnerabilities. Conducting a risk and vulnerability assessment with an outside consultant or vendor will allow for an objective and unbiased assessment and recommendation.
This appendix provides an overview of how to procure outside consultants or vendors, what to include in the proposal or statement of work, and how to evaluate consultants and vendors who are responding to the proposal or statement of work to conduct a risk and vulnerability assessment on the organization's IT infrastructure and assets. This appendix provides the reader with an overview of the different procurement methods that can be utilized when contracting with an outside consultant or vendor. In addition, this appendix provides some useful tips and approaches to ensure that the outside consultant or vendor provides the tasks and deliverables as per the proposal or statement of work document.
Some organizations may want to hire a consultant to write the actual proposal or statement of work for conducting an objective risk and vulnerability assessment. In this case, the consultant should not be allowed to respond to the proposal or statement of work given that they have an unfair advantage because of their intimate familiarity with the IT infrastructure and assets. Other organizations will craft a proposal or statement of work and solicit proposal responses to make a sound business decision pertaining to the hiring of an outside consultant or vendor to perform the objective risk and vulnerability assessment. The creation of selection criteria for hiring an outside consultant is then evaluated so that a contract award can be made.
This appendix will focus on the later process in which organizations craft their own proposals and statement of work documents to solicit bids and proposal responses for conducting a risk and vulnerability assessment service offering.