Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Deep Dive into Managing RFIs, RFPs, and Proofs of Concepts
Presenter: Bruce Benson, VP Technology & Development Eagle Technology Management, Inc.March 17, 2017
3/13/17 2
Bruce is one of the original founders of Eagle Technology Management, Inc. (2001) and the Freedom Group (1986). He has devoted his career to regulatory filing software. Bruce has been with the industry since the days when his software was used to print bound annual statement books and he has remained focused on improving the process of regulatory submission and preparation.
With these changes, Bruce has seen an increased demand for network and data security. ETM is a SOC-certified service organization, a Microsoft Gold Partner, and a provider of service organization standards.
As Vice President of Technology and Development at ETM, Bruce ensures Wings® clients use a product that meets the highest security and data standards. Bruce obtained two undergraduate degrees in Computer Science and Business Administration from Coe College in Cedar Rapids, IA.
About the PresenterBruce Benson
Vice President of Technology and DevelopmentEagle Technology Management, Inc.
3/13/17 3
OverviewRFPs, RFIs, and Proofs of Concept are becoming more valuable as tools to aid in the Software and Systems acquisition process. Vendors commit valuable hours and resources of multiple departments to responses in order to close the deal. Applications, Data Security, Corporate Culture, Business Relationships, Business Continuity, and Disaster Recovery are all topics open to discovery.How do you optimize the response process and understand what it takes to successfully present your solutions? In this deep dive session, we’ll explore: • Process to ensure buy-in from all stakeholders to the sales process• Best practices in streamlining the RFP response process• Pricing challenges for proof of concept• Evaluation techniques to optimize resources on the best opportunities, and
to determine when to just say "no"
43/13/17
Buy-In From Stakeholders to Sales ProcessCompany should assess strategic fit of the opportunity.• Considering all the other opportunities in the sales pipeline,
does engaging in this make sense?Key considerations:• How aligned is this to your target market?• Can your existing client references be utilized?• Who are the competitors and what do they say about this
opportunity? • Do you have a “win” strategy?• Are you equipped, ready to commit, and have the resources?
53/13/17
Buy-In From Stakeholders to Sales Process• Identify departments to participate in completing requests
■ Sales, Product Managers, Development Team, Management
• Develop a pre-qualification process■ Determine questions to qualify RFIs and RFPs
• Company Information• Product Information - document which platform used• Security Information - provide PII information held/not held• Timeframe for completion - develop estimate based on RFP complexity
■ Standardize answers■ Generate a standard material set for prospects to answer
63/13/17
Buy-In From Stakeholders to Sales Process- continued
• Sales – Needs help communicating technical details• Information Technology – Busy with computer systems
and IT security…cannot always provide assistance• Management – Wants efficient handling of sales
opportunities
So, who handles the work?• RFP Coordinator – Coordinates the process• Lead RFP Writer – Researches/completes questionnaires• Sales – Completes non-technical questions• Management/IT – Answer questions assigned by writer
73/13/17
Buy-In From Stakeholders to Sales Process- continued
• HIPAA/HITECH – Health-related information• GLBA – Financial information• Privacy Act – Fair information practices for PII held by
federal agencies• COPPA – Protects children’s privacy by allowing parents to
control what information is collected• FERPA – Students’ personal information• FCRA – Collection and use of consumer information
83/13/17
Buy-In to Streamlining the RFP process• Correctly state and determine “Risk Classification” based on
proposed engagement■ Verify how the prospect determined “Vendor Risk Assessment” of you
as their vendor, get specifics, or even engage business users.• High• Medium• Low
■ The RFP sent is a stock RFP for all vendors – some questions may not apply
■ Have business users from prospect assist in verifying risk classification
93/13/17
Streamlining the RFP Response Process• For Core Systems, RFP response process is time-
consuming. ■ Typical RFP questionnaire may have more than 2000 questions
requiring manual completion and supporting criteria.• Sample RFP• Best Practices
■ Database of searchable, indexed, stock answers■ Consistent set of resources■ Designate someone to do quality checks
• Challenges■ Keeping collaborative work in one document■ Merging
103/13/17
Streamlining the RFP Response ProcessImplement Information Security Policies/Procedures (ISPP) to address security concerns outlined in ISO 27002 standards.
113/13/17
Streamlining the RFP Response Process- continued
Most RFP questionnaires use the ISO 27002 outline, such as Human Resources Security…
123/13/17
Streamlining the RFP Response Process- continued
Sample FAQs for Human Resources Security:• Is a background screening performed prior to allowing
constituent access to scoped systems and data? Criminal, financial, drugs
• Are new hires required to sign any agreements upon hire?Acceptable User Policy, Employee Handbook
• Is there a security awareness training program?Information security awareness, education, training done monthly/annually
• Is there a disciplinary process for non-compliance with information security policies?
Ch. 20 “Sanction Policy, Security Violation, Disciplinary Action”• Is there an integral termination or change of status process?
Termination/change of employment, return of assets, access to company resources revoked in timely manner
133/13/17
Streamlining the RFP Response Process- continued
Access Control…
143/13/17
Streamlining the RFP Response Process- continued
Sample FAQs for Access Control:• Are unique user IDs used for access?
Password controls such as number of days, number of alphanumeric or special characters, number of times used in a given timeframe
• Are user access rights reviewed at least quarterly?Yes
• Is multi-factor authentication deployed for “high-risk” environments?
Restrictions and access to networks or services applied• Are passwords required to access systems transmitting,
processing, or storing scoped systems and data?Via management system and user responsibilities
• Is remote access permitted?Only through company VPN and RSA Tokens are used to secure access
153/13/17
Streamlining the RFP Response Process- continued
or Information Security Incident Management
163/13/17
Streamlining the RFP Response Process- continued
Sample FAQs for Information Security Incident Management:• Is there an incident management program or plan?
Ch. 24 “Breach Notification and Incident Response Procedure”
• Procedures to collect/maintain a chain of custody for evidence during incident investigation?
The Employee Handbook details employee responsibilities related to security incidents/breaches
• Postmortem to include root cause analysis and remediation plan provided to leadership?
Reviews are conducted by the Information Security team to revise procedures as necessary to prevent future occurrences
• Is there a system to continuously monitor error logs and email the Incident Response team?
Daily operational activities are monitored with separate evaluations using software to monitor both system health and overall environmental security
173/13/17
Streamlining the RFP Response Process- continued
• Work towards achieving a certification which will assist i.e. SOC Type II Certification
• Use 3rd-party providers who already achieved Information Security certifications
• Maintain an RFP Matrix of FAQs to answer new RFPs
183/13/17
Group activity – Buy-in & Streamlining• Do you have all members involved?
■ How do you pursued company members to be involved?■ How can you establish cooperation, Benefits to company?
• Who can drive the buy-in■ Managements commitment?■ Liability of company?■ Is your Company prepared for all the detailed questions?
• Do you have a Business Continuity Plan (BCP)?• Do you have a Disaster Recovery Plan (DR)?• Do you need certification, are there benefits?
193/13/17
Group activity – Buy-in & Streamlining• Streamlining, preparing, automating
■ Do you have the right material, can you get the right material?■ Is your company prepared? Develop the right process?■ Use the right technology to automate, a level which meets your team.■ Are prepared for an increase in Requests for Information, Now,
Future.
203/13/17
Pricing Challenges for Proof of ConceptFor Core Systems, POCs range in scope and are difficult to price with multiple candidates still present. Most RFPs expect the vendor to invest in the POC at personal cost.• Typical activities of a Core System POC:
■ Configure system to client’s specification■ Build product, rates, documents, and implement business rules■ Include training, creates buy-in by key people.
• Some POCs span multiple weeks, merge with online training, etc. – chargeable, yet more successful when only one vendor left
213/13/17
Pricing Challenges for Proof of Concept• ETM uses a “sandbox” environment to allow prospects to
test drive applications. • ETM creates a project plan to assist the prospect in testing
all required components. Key personnel also assist in keeping the project moving forward.
• Using a specification and a technical spec white paper, prospects can verify and test any security requirements in this environment.
• Timelines keep project on target and create contact points.• If opportunity size and importance exist, then:
■ A specialized testing environment is created for the prospect■ Commitment, specialized testing, desired length of prospect displayed
223/13/17
Evaluation Techniques• ETM developed a standard RFP document with
attachments for potential clients.
• Prospects can use this information to answer their own RFP questions.
233/13/17
Optimizing Resources on Opportunities• Core Systems evaluation criteria – targeting properly
qualified opportunities is key• Carriers vary in profile – sample criteria as follows:
■ Carrier size – Are you able to execute a program in the size required to implement technology? Can you deliver what is required?
■ LOB - Does carrier have the right LOBs you support or have done? Do you have reference ability in these LOBs?
■ Budget – Is there a clear budget or a path to a budget for the initiative?
■ Sponsors – Do you know who the sponsors are or have you talked with them?
• RFP process execution – Who is running the process? What does it mean to you? Relationship? SI?
243/13/17
Optimizing Resources on Opportunities• Before the RFP process:
■ Engage with the customer ■ Offer an RFP template with questions pertaining to ISO Standards
• During an RFP process:■ Measure size of opportunity vs time/man hours■ Present NDA and SaaS agreement for legal/negotiations■ Have an RFP coordinator to see the process through■ Have canned responses ready for FAQs■ Require a signed copy of NDAs before releasing the RFP■ Sales review RFP completely, evaluate completeness■ If allowed, schedule a call with prospect to review RFP
253/13/17
When to Just Say “No”• Size of opportunity versus costs of answering RFP• Will opportunity benefit company growth?• Would legal or negotiation costs be too high?• Contract Requirements:
■ Do contracts meet the actual project or are they “canned?” ■ Are requirements unreasonable for your company to assume liability
or risk?
263/13/17
Group activity – POC & Optimizing• How are your current POC activities working?
■ Strengths, weaknesses, how to be effective?• Identify obstacles that should be changed to improve POC!
■ Costs, Time effort • Identify key criteria to improve your process
■ Criteria and measurements• Resource management
■ Are the right internal resources define, reliable■ Timelines defined, can you handle multiple in parallel?■ Have you planned for scaling of process? How?
273/13/17
Thank You!
Bruce BensonVP Technology and DevelopmentEagle Technology Management, [email protected]
3/13/17 28
Time For Questions
Related Documents
