When to Assess Security and Privacy During the Procurement Process

Many organizations are concerned about security, privacy and vendor management for information technology (IT) services and applications, and rightly so. As more organizations purchase “Anything as a Service” (XaaS) cloud-computing products, the need for understanding the security and privacy status of those products grows because:

• The organization may no longer control its most sensitive data and may be dependent on the vendor for critical business processes involving that data.
• Organizational data could potentially be aggregated with the data of the vendor’s other customers, leading to privacy concerns.
• The vendor could have security or technology defects in its infrastructure that impact the organization.
• The organization must rely on vendor attestations to comply with laws and regulations.

Tools for evaluating the security and privacy of third party applications and services proliferate. You can ask a Software as a Service (SaaS) provider to provide you with an external audit report that certifies its internal controls. You can subscribe to a service that conducts a security review for you. Or you can self-assess the application or service you are considering using at your organization. Your options, and the tools available to evaluate IT acquisitions, are seemingly limitless.

While the assessment and evaluation tools may be limitless, the window of time to successfully conduct such a security and privacy review is not. Evaluate an IT-based service too early in the procurement process and you potentially waste your time and that of the vendors under consideration. Evaluate the service too late in the process and it might be harder to address any security and privacy concerns that you discover, especially as your organization becomes convinced that a particular vendor service or application best meets its needs.

Procurement Process Basics
Procurement processes, particularly those at large, complex, and distributed organizations, can be complicated. At a high level, the procurement process includes:

1. Requisition: where a department or unit requests a specific purchase
2. Procurement and contracts: the process by which a requisition is approved for purchase
3. Shipping and receiving: the receipt of the purchased good or services
4. Accounts payable: payment for goods or services received

There are several activities that the procurement department must oversee at each step. Not only must it manage the solicitation and bid process, but procurement departments may also be responsible for budgeting, negotiating and executing contracts, confirming that the goods or services received match the contract terms, paying vendors and service providers, ensuring compliance with organizational policies and local law, and even guaranteeing competitive and ethical business practices for the organization. Thus, working with procurement departments to outline general provisions for IT acquisitions is critical.

Timeline for Assessing the Security and Privacy of IT Acquisitions
Assessing and evaluating the security and privacy of third party IT services and applications can take time. It is also somewhat distinct from assessing and evaluating the organization’s functional requirements for a service or application. While the organization’s list of functional requirements may contain basic security and privacy specifications, evaluating those specifications in depth should come after the organization determines that the service or application meets its basic business needs.

Reviewing security and privacy specifications after a preliminary review of functional requirements and the creation of a shortlist of suitable products ensures that the organization is not wasting resources in reviewing services and applications that will not be selected for procurement. The time for conducting this security and privacy review is during the procurement and contracts phase, usually before selecting a product for a proof-of-concept demonstration or continued contract negotiations.

To ensure that security and privacy specifications are adequately considered during an IT acquisition, organizations should include their IT and information security teams in the basic procurement process as follows:..

Read The Full Article