Security Review Process for RFP Projects

Purpose

This article outlines the steps required to initiate and manage security reviews for Request for Proposal (RFP) projects.

  • When the Project Management (PM) team participates in RFP creation, the full process applies.
  • If the PM team is notified after the RFP has already been posted, the process begins at Step 2.

Process Overview

1. Enter RFP into rSolutions

Responsibility: Project Manager

2. Create TDX Ticket for Security Review

Responsibility: Project Manager

Required Ticket Information

  • Title: [RFP ### Security Review] – RFP Name
  • Due Date: Date the RFP closes for vendor submissions
  • Status: Awaiting End User
  • Description Fields:
    • How will this application be used?
    • What type of data will be inputted or stored?
    • Internal department / owner name and email

Notes

  • Opening the ticket when the RFP is posted allows the Security team to plan ahead.
  • The title format signals that the ticket will remain open longer than a standard security review.

3. Provide Security Questions in RFP

Security questions will be included in the published RFP for vendors to complete.

4. After the RFP Closes

Actions

  1. Solicitations completes vendor verification.
  2. Solicitations issues “Evaluation Open” email
  3. Project Manager updates the security review ticket:
    • Status: Open
    • Comment: Tag the Security team and note that the provisional review may begin.

5. Provisional Security Review

Responsibility: Security Team

Scope

  • Review vendor responses to the RFP security questions.
  • Provide provisional findings for each vendor.
  • This is a high-level review of responses, not supporting documentation.

Ticket Update

  • Status: Awaiting End User
  • Comment:
    • Tag PM Team and the PM who opened the ticket.
    • Include statement:
      “Provisional review completed based upon vendor responses to the RFP. Final review will be completed once demo vendors are selected.”
    • Provide provisional findings for each vendor.

6. Procurement Notification

Responsibility: Project Manager

  • Notify procurement of provisional security review. 

7. Demo Vendors Selected

Responsibility: RFP Team selects demo participants.

Project Manager Updates Ticket

  • Status: Open
  • Due Date: Update to the day before the first demo (if known)
  • Comment: Tag Security team and notify them final review can begin. Include the following for each demo vendor:
    • Vendor name
    • Software name (if different)
    • Vendor website
    • Vendor contact information

8. Final Security Review

Responsibility: Security Team

Actions

  • Conduct the full security review for selected demo vendors.

Ticket Update

  • Status: Closed
  • Comment:
    • Tag PM Team and the PM who opened the ticket.
    • Provide links to final determinations.

9. Procurement Notification

Responsibility: Project Manager

  • Notify procurement of final security review. 
Print Article