Deep Dive into Managing RFIs, RFPs, and Proofs of Concepts

Transcription

1

2 Deep Dive into Managing RFIs, RFPs, and Proofs of Concepts Presenter: Bruce Benson, VP Technology & Development Eagle Technology Management, Inc. March 17,

3 About the Presenter Bruce Benson Vice President of Technology and Development Eagle Technology Management, Inc. Bruce is one of the original founders of Eagle Technology Management, Inc. (2001) and the Freedom Group (1986). He has devoted his career to regulatory filing software. Bruce has been with the industry since the days when his software was used to print bound annual statement books and he has remained focused on improving the process of regulatory submission and preparation. With these changes, Bruce has seen an increased demand for network and data security. ETM is a SOCcertified service organization, a Microsoft Gold Partner, and a provider of service organization standards. As Vice President of Technology and Development at ETM, Bruce ensures Wings clients use a product that meets the highest security and data standards. Bruce obtained two undergraduate degrees in Computer Science and Business Administration from Coe College in Cedar Rapids, IA. 3

4 Overview RFPs, RFIs, and Proofs of Concept are becoming more valuable as tools to aid in the Software and Systems acquisition process. Vendors commit valuable hours and resources of multiple departments to responses in order to close the deal. Applications, Data Security, Corporate Culture, Business Relationships, Business Continuity, and Disaster Recovery are all topics open to discovery. How do you optimize the response process and understand what it takes to successfully present your solutions? In this deep dive session, we ll explore: Process to ensure buy-in from all stakeholders to the sales process Best practices in streamlining the RFP response process Pricing challenges for proof of concept Evaluation techniques to optimize resources on the best opportunities, and to determine when to just say "no" 4

5 Buy-In From Stakeholders to Sales Process Company should assess strategic fit of the opportunity. Considering all the other opportunities in the sales pipeline, does engaging in this make sense? Key considerations: How aligned is this to your target market? Can your existing client references be utilized? Who are the competitors and what do they say about this opportunity? Do you have a win strategy? Are you equipped, ready to commit, and have the resources? 5

6 Buy-In From Stakeholders to Sales Process Identify departments to participate in completing requests Sales, Product Managers, Development Team, Management Develop a pre-qualification process Determine questions to qualify RFIs and RFPs Company Information Product Information - document which platform used Security Information - provide PII information held/not held Timeframe for completion - develop estimate based on RFP complexity Standardize answers Generate a standard material set for prospects to answer 6

7 Buy-In From Stakeholders to Sales Process - continued Sales Needs help communicating technical details Information Technology Busy with computer systems and IT security cannot always provide assistance Management Wants efficient handling of sales opportunities So, who handles the work? RFP Coordinator Coordinates the process Lead RFP Writer Researches/completes questionnaires Sales Completes non-technical questions Management/IT Answer questions assigned by writer 7

8 Buy-In From Stakeholders to Sales Process - continued HIPAA/HITECH Health-related information GLBA Financial information Privacy Act Fair information practices for PII held by federal agencies COPPA Protects children s privacy by allowing parents to control what information is collected FERPA Students personal information FCRA Collection and use of consumer information 8

9 Buy-In to Streamlining the RFP process Correctly state and determine Risk Classification based on proposed engagement Verify how the prospect determined Vendor Risk Assessment of you as their vendor, get specifics, or even engage business users. High Medium Low The RFP sent is a stock RFP for all vendors some questions may not apply Have business users from prospect assist in verifying risk classification 9

10 Streamlining the RFP Response Process For Core Systems, RFP response process is timeconsuming. Typical RFP questionnaire may have more than 2000 questions requiring manual completion and supporting criteria. Sample RFP Best Practices Database of searchable, indexed, stock answers Consistent set of resources Designate someone to do quality checks Challenges Keeping collaborative work in one document Merging 10

11 Streamlining the RFP Response Process Implement Information Security Policies/Procedures (ISPP) to address security concerns outlined in ISO standards. 11

12 Streamlining the RFP Response Process - continued Most RFP questionnaires use the ISO outline, such as Human Resources Security 12

13 Streamlining the RFP Response Process - continued Sample FAQs for Human Resources Security: Is a background screening performed prior to allowing constituent access to scoped systems and data? Criminal, financial, drugs Are new hires required to sign any agreements upon hire? Acceptable User Policy, Employee Handbook Is there a security awareness training program? Information security awareness, education, training done monthly/annually Is there a disciplinary process for non-compliance with information security policies? Ch. 20 Sanction Policy, Security Violation, Disciplinary Action Is there an integral termination or change of status process? Termination/change of employment, return of assets, access to company resources revoked in timely manner 13

14 Streamlining the RFP Response Process - continued Access Control 14

15 Streamlining the RFP Response Process - continued Sample FAQs for Access Control: Are unique user IDs used for access? Password controls such as number of days, number of alphanumeric or special characters, number of times used in a given timeframe Are user access rights reviewed at least quarterly? Yes Is multi-factor authentication deployed for high-risk environments? Restrictions and access to networks or services applied Are passwords required to access systems transmitting, processing, or storing scoped systems and data? Via management system and user responsibilities Is remote access permitted? Only through company VPN and RSA Tokens are used to secure access 15

16 Streamlining the RFP Response Process - continued or Information Security Incident Management 16

17 Streamlining the RFP Response Process - continued Sample FAQs for Information Security Incident Management: Is there an incident management program or plan? Ch. 24 Breach Notification and Incident Response Procedure Procedures to collect/maintain a chain of custody for evidence during incident investigation? The Employee Handbook details employee responsibilities related to security incidents/breaches Postmortem to include root cause analysis and remediation plan provided to leadership? Reviews are conducted by the Information Security team to revise procedures as necessary to prevent future occurrences Is there a system to continuously monitor error logs and the Incident Response team? Daily operational activities are monitored with separate evaluations using software to monitor both system health and overall environmental security 17

18 Streamlining the RFP Response Process - continued Work towards achieving a certification which will assist i.e. SOC Type II Certification Use 3 rd -party providers who already achieved Information Security certifications Maintain an RFP Matrix of FAQs to answer new RFPs 18

19 Group activity Buy-in & Streamlining Do you have all members involved? How do you pursued company members to be involved? How can you establish cooperation, Benefits to company? Who can drive the buy-in Managements commitment? Liability of company? Is your Company prepared for all the detailed questions? Do you have a Business Continuity Plan (BCP)? Do you have a Disaster Recovery Plan (DR)? Do you need certification, are there benefits? 19

20 Group activity Buy-in & Streamlining Streamlining, preparing, automating Do you have the right material, can you get the right material? Is your company prepared? Develop the right process? Use the right technology to automate, a level which meets your team. Are prepared for an increase in Requests for Information, Now, Future. 20

21 Pricing Challenges for Proof of Concept For Core Systems, POCs range in scope and are difficult to price with multiple candidates still present. Most RFPs expect the vendor to invest in the POC at personal cost. Typical activities of a Core System POC: Configure system to client s specification Build product, rates, documents, and implement business rules Include training, creates buy-in by key people. Some POCs span multiple weeks, merge with online training, etc. chargeable, yet more successful when only one vendor left 21

22 Pricing Challenges for Proof of Concept ETM uses a sandbox environment to allow prospects to test drive applications. ETM creates a project plan to assist the prospect in testing all required components. Key personnel also assist in keeping the project moving forward. Using a specification and a technical spec white paper, prospects can verify and test any security requirements in this environment. Timelines keep project on target and create contact points. If opportunity size and importance exist, then: A specialized testing environment is created for the prospect Commitment, specialized testing, desired length of prospect displayed 22

23 Evaluation Techniques ETM developed a standard RFP document with attachments for potential clients. Prospects can use this information to answer their own RFP questions. 23

24 Optimizing Resources on Opportunities Core Systems evaluation criteria targeting properly qualified opportunities is key Carriers vary in profile sample criteria as follows: Carrier size Are you able to execute a program in the size required to implement technology? Can you deliver what is required? LOB - Does carrier have the right LOBs you support or have done? Do you have reference ability in these LOBs? Budget Is there a clear budget or a path to a budget for the initiative? Sponsors Do you know who the sponsors are or have you talked with them? RFP process execution Who is running the process? What does it mean to you? Relationship? SI? 24

25 Optimizing Resources on Opportunities Before the RFP process: Engage with the customer Offer an RFP template with questions pertaining to ISO Standards During an RFP process: Measure size of opportunity vs time/man hours Present NDA and SaaS agreement for legal/negotiations Have an RFP coordinator to see the process through Have canned responses ready for FAQs Require a signed copy of NDAs before releasing the RFP Sales review RFP completely, evaluate completeness If allowed, schedule a call with prospect to review RFP 25

26 When to Just Say No Size of opportunity versus costs of answering RFP Will opportunity benefit company growth? Would legal or negotiation costs be too high? Contract Requirements: Do contracts meet the actual project or are they canned? Are requirements unreasonable for your company to assume liability or risk? 26

27 Group activity POC & Optimizing How are your current POC activities working? Strengths, weaknesses, how to be effective? Identify obstacles that should be changed to improve POC! Costs, Time effort Identify key criteria to improve your process Criteria and measurements Resource management Are the right internal resources define, reliable Timelines defined, can you handle multiple in parallel? Have you planned for scaling of process? How? 27

28 Thank You! Bruce Benson VP Technology and Development Eagle Technology Management, Inc Time For Questions 28