In our last blog, we discussed the importance of including the privacy and security team from the very beginning of the RFP process. Despite having a data security expert at the table, it is critical for the entire RFP team to understand the significance of drafting questions that will garner meaningful information about the bidders’ data management policies and practices.
What organizations want is to ensure is that all suppliers will be compliant with relevant legislation and have processes in place that minimize any risk of a security breach. With that in mind, RFP questions should provide details that lead to a high level of comfort in the following areas of data security:
– Privacy and data management structure and scope (team members, expertise, certifications, breadth of application)
– Management process with employees, suppliers and subcontractors, including training and awareness
– Compliance with relevant legislation (e.g., PIPEDA and Privacy Act, in Canada, as well as in other applicable countries such as GDPR in the European Union)
– Physical and logical location of client data
– Monitoring and controls
– Incident response/mitigation and reporting
The questions should serve to obtain details rather than a vague description of their approach to security. They should seek specific information about processes, tools and technology, as well as provide a demonstrated understanding of risk management and compliance with applicable legislation in other countries.
In order to obtain meaningful information from the bidders, the RFP team should first establish the following:
– Requirements that are mandatory and, if not met, would disqualify bidders
– What will be most highly weighted, that is, what are the most important requirements
– What may be acceptable, depending on other elements presented in the proposal
– Best practices in the area of data security
From there, questions can be formulated to indicate the level of precision required and focus on the features that are most important to the team. This means delving into the categories listed at the beginning of this blog. Examples include requesting:
– Privacy and security organization charts and process diagrams with the names of responsible individuals, as well as a description of their relevant experience and certifications.
– How the bidder ensures suppliers and subcontractors are compliant with the data security policies
– A description of the physical structure of the data center, fire suppression and alarm system, access controls, logical location of data, and business continuity plan in event of total loss of primary location.
– Information about compliance with international security frameworks, as well as specific monitoring and protection solutions (encryption, firewalls, anti-virus/malware, etc.)
– A history of data security breaches and how they were managed
With carefully thought-out questions, it will be clear to the bidders what information is required to be considered a serious candidate for a partnership arrangement. Once the proposals are received, the RFP team can then determine which bidder is the best match for the organization’s requirements.
More on this important subject to come.