I came across an RFP last week about Cybersecurity Services for a spanish public administration which, I think, is really interesting because the RFP addresses the main cybersecurity services to protect data and services of citizens. However, these cybersecurity services can also be applied to protect data and services of any company. What’s really interesting is the well-written of the RFP where there are only cybersecurity services and not other kind of services. Therefore, cybersecurity companies can applied easily to this RFP.
First of all, the National Security Scheme, or ENS in spanish, has to be implemented as well as the General Data Protection Regulation (GDPR). As a result, ENS requires to write the adaptation plan, security policy, risk analysis, incident response plan, security awareness, etc. On the other hand, GDPR requires data protection impact assessments, record of processing activities, etc. In addition, GDPR requires a Data Protection Officer (DPO). All of these tasks are mandatory and are really important before taking the plunge to technical tasks.
The IT Security Audit should be the next step to know the security status of the organization. This is the best way to have the security measures which have to be implemented. What kind of security audit is required? A pentesting is mandatory as well as a networking audit to know the vulnerabilities of all assets connected to the network. In addition, they require IDS/IPS, NAC and VPN appliances to control all devices which are going to be connected to the network.
There is a big chapter about monitorization and protection where there are network firewalls and web application firewalls (WAF) as well as web monitorization to know availability of web applications. What’s more, there is a DNS Security service to block access to malicious websites at the DNS layer. In addition, all of these appliances and services will protect users and services from malicious attackers.
Finally, the RFP requires an Incident Response Service, Security Assessment and Training. I think these services are important to be up to date in cybersecuirty subjects because they are going to be able to ask advice of any security matter as well as they are going to have an incident response team to investigate network intrusions and mitigate data loss. Moreover, this chapter includes a SIEM appliance to get all security logs and improve security visibility.
To sum up, you can see here an overview of an RFP. You can see all services and appliances you can require. It’s up to you to require all of these services, or even include more security services or devices, but it’s highly recommended to ask only security things instead of requiring other kind of services which are not security things, because if you mix security with something else, most cybersecurity companies will not able to apply to your RFP.
Have a nice day my friends! Drop me a line with the first thing you are thinking!