Appendix 3. An RFI/RFP for evaluating managed security services providers (MSSPs)

Whether conducting the request for information (RFI) or request for proposal (RFP) process, a quality set of questions for potential vendors to respond to provides a solid base for helping evaluate and narrow down a vendor for your service. The RFI in particular is good for this sort of "fact finding," acting as an ideal means for learning more about a potential solution and how it can solve your problems, or when you're not even sure how to solve your problem yet. However, the RFI should not be unduly long and tedious to complete for prospective vendors; it should be concise, direct, and honest. This means not only presenting a clear and humble vision of your own organization and its goals, but also asking just the right amount of questions to allow potential vendors to demonstrate their expertise and provide a clearer picture of who they are. Some take a technical approach to an RFI, using dense language and complicated spreadsheets for fact finding. However, vendors appreciate a slightly more inviting approach, with practical questions or requests that are carefully chosen because they matter to you.^[1]

What follows are a carefully selected set of "questions" for managed security services providers (MSSPs) posed as, well, requests for information. This collection of questions is admittedly long. Keeping with advice about maintaining a concise RFI, you may not use all of these as part of your RFI process. Remember that an RFI is not meant to answer all of your questions, but rather is meant as a means to help narrow down your search to a few quality candidates while learning more about each other.^[1] Feel free to narrow this list down to those questions that are most important to you as part of this fact finding mission.

Sources used to compile this selection of RFI questions include:

• Expel's "12 revealing questions to ask when evaluating an MSSP or MDR vendor"^[2]
• NTT Security's How to Write an MSSP RDP whitepaper^[3]
• Secureworks' RFI/RFP template^[4]
• Solutionary's RFP/RFI Questions for Managed Security Services whitepaper^[5]
• The U.S. Department of State's Bureau of Diplomatic Security's 2020 RFI requesting MSSP services^{[6][dead link]}

RFI/RFP introduction

If you're conducting a full RFI or RFP, you're going to lead with the standard components of an RFI or RFP, including:

• a table of contents;
• an honest introduction and overview of your organization, its goals and problems, and the services sought to solve them;
• details on how the RFI or RFP evaluation process will be conducted;
• basis for award (if an RFP);
• the calendar schedule (including times) for related events;
• how to submit the document and any related questions about it, including response format; and
• your organization's background, business requirements, and current technical environment.

Organization basics

Primary business objectives

Please describe the primary business objectives for your organization.

Organization history

Please give some background on your organization's history, including how long it has been offering managed security services (MSSs).

Financial stability

Please provide information concerning the financial stability of your organization. If your organization is public, please include relevant documents such as annual reports and supporting financial statements. If private, please include documentation that supports the representation of your organization as a stable, profitable, and sustainable one. If not profitable, please provide details about your organization's path towards profitability.

Managed security services offered

Please describe the primary MSSs offered by your organization, particularly any of which may be relevant based upon our company's stated needs. If the services are tiered, explain the different levels of service and any significant exceptions and differences separating the levels.

Details about those managed security services

Please provide details about:

• number of MSSs clients specifically using your organization's device management, security monitoring, vulnerability testing, log management, and other security-based managed services;
• how long each of your organization's MSSs has been offered;
• the growth rate of your organization's MSSs over the prior fiscal year;
• how your organization's MSSs or your organization overall are ranked by top research firms such as Gartner and Forrester; and
• any awards received for your organization's MSSs.

Vision and investment in those managed security services

Please provide details about the vision and future direction for choosing, developing, and implementing new in-house or third-party technologies as part of your organization's MSS initiative. Additionally, discuss the level of investment made by your organization—including in-house research and development—towards solving emerging cybersecurity challenges and improving your clients' return on investment (ROI).

Experience and references

Please provide details on:

• how many clients you provide (or have provided) MSS to in our organization's industry;
• whether any of them are willing to act as references for your services;
• what experience your organization has in meeting the unique security monitoring requirements of our industry;
• any examples of clients being a learning source for improving your service; and
• any whitepapers, reports, etc. authored by your organization that are relevant to our industry.

Infrastructure, security, and related policies

Internal security policy and procedure

Please describe your internal policy and procedure (P&P) regarding security within your organization, including any standards your organization has adopted as part of that P&P. Address any ancillary security policies regarding, e.g., acceptable use of technology, remote and from-home work, and security awareness training.

Business continuity and disaster recovery policy

Please describe your organization's P&P regarding business continuity and disaster recovery.

Security operation centers and related infrastructure

Does your organization use security operation centers (SOCs) to support its MSSs? If so, please provide details about:

• whether or not you own and manage the SOCs;
• where the primary and secondary SOCs are located;
• where our data will be located;
• what specifications are used for data in transit and at rest;
• whether or not all SOCs are "always on" and available;
• what level of redundancy is implemented within the SOCs;
• how that redundancy limits service interruptions should an SOC go offline;
• what level of scalability is available to clients with growth or contraction states; and
• what qualifications and certifications apply to each SOC.

Physical security at security operation centers

Please describe the physical security (e.g., locks, badges, physical security perimeters, surveillance systems, etc.) and continuity measures (e.g., fire suppression, backup power, etc.) put in place at your organization's SOCs. Also address visitor procedures and how they are conducted. How are unauthorized access attempts at SOCs responded to?

Staffing at security operation centers

Please describe the staffing procedures at these SOCs, including what percentage of overall staff is dedicated purely to delivering and managing MSS activities and accounts. Clearly define any implemented classifications of staff based on level of support or data sensitivity, as well as any related certifications and training required at each support or data sensitivity level. Are contractors treated any differently? Finally, describe what background checks or screening procedures, if any, are implemented towards any individual related to your organization's MSSs.

Independent infrastructure review

If your organization has received an independent review of its MSS infrastructure and services (e.g., SSAE 16), please provide details of this review, preferably with the full report, but if not, with critical details such as who, what, when, where, scope, frequency of testing, and a summary. If your organization has not completed such an independent review, please provide details of any plans or ongoing efforts towards such a review.

Internal infrastructure review

If your organization has performed an internal review of its MSS infrastructure and services, please provide details of this review, with critical details such as who, what, when, where, scope, frequency of testing, and a summary. If your organization has not completed such an internal review, please provide details of any plans or ongoing efforts towards such a review.

Auditing of your operations

If the results of your independent and/or internal review cannot be shared, will your organization allow us to—on our own or through a third party—audit your operations, with the goal of determining the appropriateness of your organization's implemented safeguards?

Auditing of client data

Please describe how your organization handles requests from outside entities for client data and notifies clients when such requests are made. If subpoenas, court orders, search warrants, or other law enforcement actions were to take place, describe how you would maintain any privileged, confidential, or otherwise sensitive information as being protected. Do you have legal representation should these issues arise?

Service: Threat intelligence

Research team

If your organization has a research team dedicated to threats and vulnerabilities, please describe the team, how it's integrated with an SOC's operations, and what services that team supports beyond research. If the research team has a mission, please state that mission.

Threat detection

Please describe the information sources the research team uses to gather threat intelligence. Provide specifics about any anomaly detection, behavioral analysis, malicious host detection, signature analysis, and volume analysis detection methods.

Use of and access to threat intelligence

Please describe how gathered threat intelligence is analyzed and validated. Additionally, describe how that analyzed and validated threat intelligence is used in the management and monitoring of our devices and data. Finally, please describe what level of visibility and access a client has into this intelligence, as well as the research team itself.

Examples of action on threat intelligence

Please provide examples of how threat intelligence generated by your organization's research team (or someone else) has been effectively used to protect clients. Also provide examples of organization white papers, use cases, threat reports, or internal write-ups (if available) regarding threat intelligence and its effective use.

Service: Vulnerability testing

Vulnerability testing basics

Please describe the architecture behind any vulnerability testing your organization may conduct, including configuration, scoping, and scheduling capabilities. Also describe the origin of testing protocols used. If your architecture supports web application scanning and testing for database vulnerabilities, please provide important details.

Vulnerability identification and confirmation

Please describe how vulnerabilities are identified and confirmed. If your organization has a process for identifying and reporting false positives, provide details. Additionally, if a process is in place to escalate and prioritize confirmed vulnerabilities, please describe it. Finally, is vulnerability data incorporated into overall security monitoring processes, and if so, in what ways? For example, can vulnerability testing results be correlated to other monitoring and analysis data to provide a status of being "on-target" or "off-target," along with an impact analysis rating?

Vulnerability testing process

Please provide details of how vulnerability testing is scheduled and how associated reports are delivered. Additionally, explain whether or not clients can conduct their own vulnerability testing and upload the results to you.

Internal and external testing

Please describe whether or not the vulnerability testing process can be run both internally and externally, and if so, on what infrastructure. If your organization provides internal vulnerability scanning as or supports external vulnerability scanning through a PCI Security Standards Council Approved Scanning Vendor (PCI ASV) for quarterly compliance, please provide details.

Service: Endpoint protection

Endpoint protection basics

Please describe any managed service your organization provides in regard to endpoint security. Address whether or not service agents must be installed at every endpoint and what bandwidth requirements they may have. Also, please describe whether the endpoint protection service is "always on" or acts as a schedules service. Also state what management responsibilities are associated with the service, and by whom.

Visibility and notifications

Please provide information about how visible endpoint security is to clients. Describe what types of alerts are given in association with endpoint security and what, if any, remediation recommendations are provided.

Data retention

Please describe your organization's data retention policies related to endpoint data collected as part of the endpoint protection service.

Endpoint protection features

Please describe:

• whether or not threat intelligence is integrated into your endpoint protection service;
• what operating system (OS) endpoints are covered by the service; and
• what level of remote incident response is supported and whether compromised endpoints can be quickly isolated from your organization's network.

Service: Malware protection

Malware protection basics

Please describe any managed service your organization provides in regard to malware protection. Address whether or not your service uses sandboxing technology, and if so, what type.

Malware protection features

Please describe:

• whether or not threat intelligence is integrated into your malware protection service;
• whether or not the service is able to detect malware designed to evade a traditional sandbox; and
• whether or not the service is able to detect zero-day malware threats.

Service level and support

Please describe whether or not a "defense in depth" approach is taken with malware protection, and if so, whether this is a complimentary part of the service or at additional cost. Additionally, describe your policy about assisting clients with remediation in the event of malware compromising client systems.

Service: Overall cloud security

Company philosophy or approach

Please describe how your cloud services address the ephemeral nature of cloud computing while at the same time helping clients maintain their overall security posture. Explain your organization's approach to its security team, including whether or not a dedicated team of security researchers are utilized. If such a team exists, also explain how that research from that team is incorporated into MSS activities. Finally, describe your team's overall approach to monitoring, analysis, and correlation of security threats, including how automated and human-based analyses are balanced in their approaches and in their handoff to each other.

Technology and security

Please describe:

• the technical architecture of your MSS in the cloud, including any associated hardware and software agents that are installed;
• whether or not you can manage client devices, and if so, how;
• how troubleshooting for any managed devices is handled and subsequently validated should changes need to be made;
• what firewall performance monitoring your MSS is capable of in the cloud;
• how managed and monitored intrusion prevention and detection is implemented as part of your MMS;
• how security mechanisms built into your cloud solutions are activated; and
• what integration requirements, if any, exist for securely connecting to data analysis, incident management, or other SOAR (security orchestration, automation, and response) tools.

Event correlations and rules

Please explain how event information can be used within your correlation and rules engine. Additionally, describe whether or not event correlations can be made across multiple client device types, across clients, and by user identity.

Vulnerability testing

Please describe what agreements, if any, your organization has with CSPs to perform different types of vulnerability assessments on their platforms;

Logging

Please describe your approach to collecting, analyzing, correlating, and acting upon cloud log and event data and how you're able to gain visibility into anomalous activity. List the log and event data sources and devices you support by clients and other CSPs. Do you enrich log data with your own contextual elements such as IP reputation scores and GeoIP2 data? Finally, provide background on your organizational policy in regards to retaining and making available collected log and event data.

Monitoring

If your MSS provides a cloud monitoring portal to clients, please describe it. Include details on what data is viewable and reportable, as well as whether or not a central dashboard for all types of data is available. If not, explain how are clients are informed of security threats and other service-related activities. Additionally, if a client runs their own red team exercises on their infrastructure, does your organization have the capability of monitoring for and detecting those authorized red team activities, as well as reporting on them?

Incident response

Should a security threat be identified by your monitoring team, please explain how your incident response team cooperates with the monitoring team for efficiency. Additionally, describe how your incident response team works together with clients during a security incident, including the handling of breach notification.

Hybrid and multicloud

Please describe how your cloud services and their associated technology enable and improve secure integrations in hybrid and multicloud scenarios.

Ancillary services

Please describe if your organization is capable of assisting clients with security audits and certifications of their cloud installations. If your organization also provides consulting, technical testing, penetration testing, forensic investigation, and threat remediation services, please describe them, as well as any associated service tiers. How do teams associated with incident response and threat remediation services use their capabilities to provide value to the client?

Reporting

Approach to reporting

Please describe your organization's approach to meaningful reporting, including the selection of security metrics. Explain how your MSS reporting provides value to clients by demonstrating security effectiveness and quality return on investment (ROI).

Reporting basics

Please describe your organization's approach to standard reporting, including details such as:

• report frequency;
• access and distribution methods (e.g., portal, app, email, SMS);
• format (e.g., PDF, Excel, HTML);
• authenticity (i.e., can they be digitally signed and tracked);
• the structure of the reporting interface;
• whether or not the reporting interface can integrate with other systems, or vice versa;
• any integration of reporting across different services; and
• available and requestable report types, including pre-built, customizable, compliance, and regulatory reports.

If possible, provide examples such as sample reports or screenshots of your web-based interface. If reports can be customized, provide details of how this is accomplished.

Asset-based and ad-hoc reporting

Please explain any asset-based and ad-hoc reporting capabilities available as part of your managed security services. If asset-based reporting is available to clients, describe whether or not the service allows clients to create and group assets, assign criticality levels to them, scan them, and view events related to them. IF ad-hoc reporting is available to clients, describe the request process and turnaround time (TAT) for such reports.

Availability

Please explain how long MSS reports and associated data are accessible after creation, as well as whether or not any of that information is archived.

Account management and support

Support basics

Please describe your organizational approach to client support and how that support is structured, including the processes and mechanisms for handling client inquiries and issues. Describe the communication mechanisms primarily and secondarily used for support, including mailed documentation, phone calls, electronic communication, and face-to-face communication. Explain how the escalation process for inquiries and reported issues should be handled.

Help desk and support ticketing

Please indicate what help desk or ticketing functionality is available for clients having MSS-related incident and troubleshooting issues. How should clients go about using such tools to initiate the support process?

Availability, provisioning, and responsiveness

Please indicate the availability of your organization's support services, including hours offered. Also indicate who is provisioning the service, whether it's in-house or a third party, and from where the service is provisioned. Note whether or not support services change hands at any point. Finally, describe how support quality is guaranteed at all times, including any guarantees on responsiveness.

Client satisfaction

Please describe how your organization measures and reports (including frequency) client satisfaction with support and account services. Describe how deficiencies in client satisfaction are addressed and resolved within the organization.

Ancillary services

Please indicate whether or not your organization provides value-added support services, and if so what type. Can a dedicated account manager with sufficient technical knowledge be provided, and if so, at what cost?

Service level agreements (SLAs) and contracts

SLA basics

Please describe the details of your SLAs for the various services you provide, including any negotiable aspects of the SLAs. Provide examples. Any relevant measurements and ranges for work performed by you (e.g., service speed, response times, and accuracy) should also be clearly defined and stated. Explain what the cost implications related to any differing service levels are. Finally, explain whether or not your organization provides clients with a 30-day proof of concept test of the services to ensure your organization can prove its marketing and operational claims.

SLA failure

Please explain how your organization monitors and measures its compliance with an SLA. Describe what options are available to clients upon your organization failing to meet an agreed-upon SLA.

Contract termination

Please describe your policy on archiving, deleting, and helping transition client data from any of your systems upon contract termination, including particulars about data formats, deletion methodologies, and transfer methods. Any explanation should include the respective termination rights of both the organization and the client.

Service implementation

Implementation basics

Please describe your approach to implementing your MSS for clients. You should address:

• the standard timeframe for implementation and onboarding (overall average or last 10 customers);
• whether or not a dedicated point of contact will be maintained throughout implementation, to the end of the contract;
• what resources clients will require to support the implementation and throughout the contract's duration;
• what device and database integrations are supported in an implementation;
• whether or not unsupported devices and databases can be added for support;
• how the impact or disruption of client resources is minimized during implementation; and
• what your normalization and fine-tuning procedures are.

Completion and handoff

Please describe what steps are taken to ensure the implementation is complete, as well as how the service is handed off to the client afterwards. If your organization provides training and documentation at handoff, describe how this training and documentation is administered, and at what additional cost, if any.

Multi-site implementations

Please describe the process used when implementing a service to a client with many geographically dispersed facilities.

Pricing

Pricing basics

Please describe how your company's pricing and payment models meet industry standard practices (e.g., payment per actual services consumed, per GB of storage, per server, per annual subscription, etc.). Provide pricing estimates and examples based upon the various services provided using a current published catalog, standard market pricing, and/or web enabled price calculators. Explain how any metered services are clearly reported and billed. Ensure all costs are accurately reflected, including any:

• underlying "implied" costs,
• initial "stand up" costs,
• ongoing maintenance or subscription costs,
• renewal-related price increases
• data download costs, and
• termination costs.

References

Citation information for this chapter

Chapter: Appendix 3. RFI questions for MSSPs

Title: Choosing and Implementing a Cloud-based Service for Your Laboratory

Edition: Second edition

Author for citation: Shawn E. Douglas

License for content: Creative Commons Attribution-ShareAlike 4.0 International

Publication date: August 2023