Today (January 6) we issued a press release (available here www.icsalabs.com/press-release/icsa-labs-offers-tips) with tips on how business and government agencies can use independent product assurance from a third party to simplify the Request for Proposal (RFP) process.
Enterprises can realize significant advantages while selecting security products—namely saving time and resources—by leveraging existing third-party assurance programs where they are available, relevant, and meet, even partially, the enterprise requirements. To help organizations make this a requirement, the below table provides sample language that can be used when drafting RFPs or other like documents.
|
Scenario |
Example Language |
|
Third-party diligence programs exist, testing requirements are relevant to the enterprise selection criteria, and the list of tested or certified products provides adequate choice for the enterprise. |
When selecting solution components proposed in response to this request, we will only consider products which have undergone third-party assurance testing or certification. Examples of third-party assurance programs which will satisfy this requirement are those testing and certification programs operated by ICSA Labs. |
|
Third-party diligence programs exist, but the list of tested or certified products does not provide adequate choice for the enterprise. |
When selecting solution components proposed in response to this request, we will give strong preference to products which have undergone third-party assurance testing or certification. Examples of third-party assurance programs which will satisfy this requirement are those testing and certification programs operated by ICSA Labs. or When selecting solution components proposed in response to this request, we will require the vendor of the product to demonstrate compliance with each of the selection criteria in the attached documents. Vendors of products which have undergone third-party assurance testing in a program like those operated by ICSA Labs may use the results of that testing in conjunction with the published testing criteria as evidence of compliance with specific requirements. |
If you’re looking for sample language for a situation not included above, or have other questions about building a certification requirement into an RFP, I’m happy to answer your questions. I look forward to hearing from you.
Comments
only applicable to consortia
only applicable to consortia or certification programs that are in existence. Not applicable to Security Information Event Management Solutions, MPLS End to End Application Security Products, Telecommunications, Call Data Recording Applications, Telecommunication Firewalls.
Full whitepaper in the works...
Very True, and a good point. There is a full whitepaper in the works which will deal with the topic at hand in more detail. It touches on this and other issues. You can get a glimpse of this in the words I supplied in the table. (paraphrased): If programs exist and map well to your requirements, require products to have gone through them. IF NOT, leverage what you can in terms of existing 3rd party results (ours and others) and favor those with credible 3rd party assurance.
Post new comment