Differentiate Your RFP from the Competition with ISO Certification

Tom Morrissey – Sr. Director, IT Litigation – Purdue Pharma LPPaul McKay – Information Security Officer – Bond Pearce LLP

Session # RRMPG1

“The opinions expressed or presented during this session are those of the individual speakers and do not necessarily reflect the official policy or position of any of their respective employers.”

RFP’s from the client perspective..

About me

• Married for 20 years• 3…no 4…kids• Been at Purdue Pharma for 8 years• In the legal field since 1981…OMG or OLD• I’ve seen every mistake…at least twice• Made a few of those myself….

Why do RFPs?– Good Business Practice– Allows us (client) to articulate our requirements

and allows you (firm/vendor) to understand our basic needs or objectives.

– Can shorten contract timeframe with contractual terms used in RFP and response.

– Devil is in the details (Capabilities, financials)– Competition is good!– We can quickly learn who is and is not a ‘player’

What can be expected from a good RFP.

– Remember the interview where the person asked you to “Tell me about yourself”?...

• You should have walked out….Bad Interview AHEAD!!

– Same with the RFP…• Expectations should be set from the start• Specific questions about assets and capabilities

speak volumes about how serious the potential client is..

– Allows for feedback and questions

Types of Requests regarding security/controls• Completion of the request in an honest and accurate manner is more

important than any single control, precaution, or procedure being in place. Not all controls are required; merely the knowledge of what is in place is required

• Security Policies

– Please provide copies of Corporate Security Policy and any other policies relating to information security:

Acceptable Use Policy, Encryption Policy, Data Retention, Data Classification Policy, Certificate Policy, Audit Policy, Remote Access, etc

• Security Organization – Please provide a general outline of your security organization: number of dedicated full-time security

professionals, number of shared resources, and reporting structure.

• Procedures– Please provide a list of any documented procedures such as Certification Practice Statement,

Standard Operating Procedures, Build Procedures, Incident Response Plan, Disaster Recovery Plan, etc.

Types of Requests regarding security/controls• Access Control

– Access Control List– Firewall Technology and Rules– Authentication Mechanisms– Encryption: VPN, SSL, S/MIME

• Physical and Environmental Security– How is physical security controlled at your facility? Is this done with a third party, is so

which one?– Please list environmental controls including: Air handlers, Fire Suppression and

detection systems, and Environmental Alerting systems.

• Asset Classification and Control – Data Classifications and handling– Data Storage and Co-location– Privacy Related Data management– Asset Tracking

Types of Requests regarding security/controls• Business Continuity Management

– Availability– Disaster Recovery– Data Retention

• Incident Response and Management– Incident response plan– Intrusion Detection – Alerts, Monitoring, Configuration, Location– Service Level Agreements

• Antivirus– Procedures– Locations

• General Technology – Database – Server OS– Server Hardware– Network Hardware

Types of Requests regarding security/controls

• Compliance, Law, and Investigation

• Do you maintain compliance with any of the above? How do you maintain compliance with the standard? Please provide the results of the last audit for this standard?

• Audit and Assessment– Please provide any policies or methodologies used in the following audits?– Please provide the interval in which you audit the following areas?– Please provide the results of your last audits of these types?– Do you use an independent 3rd party auditor if, so who?

– Privacy– Information Security– Physical Security– BCDR Audit– Software Compliance

ISO Compliance HIPAA

CFR 21 part 11 Sarbanes-Oxley

GLB SB1316

Why Certify Against ISO?

What does this do for the RFP process

About me

• Married for 3 years• Son "Olly" 13 months old• Been at Bond Pearce for 13 years• Information Security Officer, looking after ISO 27001• Information Security 8 years• CISSP since August 2010• RFP / tender responses where Information Security and Business

Continuity questions are asked.

Introduction

• What is ISO?• Some Standards• Benefits• Certificate Lifecycle• What this means for RFP• Q&A

What is ISO?

• ISO (International Organization for Standardization) is the world’s largest developer of voluntary International Standards. International Standards give state of the art specifications for products, services and good practice, helping to make industry more efficient and effective. Developed through global consensus, they help to break down barriers to international trade.

Standards

There are several popular standards which organisations adopt

ISO 9001

• Most established framework – over 1,000,000 organizations in 178 countries worldwide

• Demonstrates consistent high quality work to clients

• Last revised in 2008

ISO 27001

• BS 7799 (1995)• ISO 17799 – Part 1 (2000 – 2005) then in 2007

became ISO 27002• Became Internationalised to ISO 27001 in 2005

which was BS 7799 Part 2• 135 Controls, not all have to be applicable• Risk based framework

ISO 14001

• Effectively reduce, re-use and recycle waste• ISO 14001 certification is also a proven business

winner with most certified organisations qualifying for more tenders and winning more orders!

• Demonstration of legal and regulatory compliance• Compatible with ISO 9001, and ISO 27001

• Source: http://www.british-assessment.co.uk/iso-14001-certification-services.htm?gclid=CN2C-pvTybECFSsntAodbxsAOw

ISO 22301

• Formerly BS 25999• Became ISO in May 2012• Ensures best practice for business continuity

planning• Preventative measures against common disasters,

risk based framework• Testing of plans is key!

Benefits

• Ensure products and services are;– Safe– Reliable– Good quality

• Strategic tools for;– Reducing costs– Increasing productivity

Benefits

• Allow organisations to;– Gain new business– Standardise policy– Raise awareness internally

Certificate Lifecycle

• Pre-certification– Information gathering– Working group– Scope definition– Analyse what is required to meet the standard

Certificate Lifecycle

• Certification process– Desktop review of documentation/policies– Audit process

• Speaking to various members of staff• Gauging policy adherence

Certificate Lifecycle

• ISO certificates are generally valid for a 3 year term

• Regular continuing assessment visits, depending on size and geographical locations

• Third year re-assessment, just like initial assessments

What does it all mean?

• In most cases it makes RFPs a check box exercise• Clients are becoming savvier and wiser to their own

needs, simply complying with a standard will not be enough in the future

• Certification should be all a client needs rather than needing to ask 10s of questions

• You should be willing to share your scope and high level documentation with the Client if requested

How Many Organisations?

• ISO 9001 – Over 1,000,000*

• ISO 27001 – Over 7800**

• ISO 14001 – Over 223,000***

• ISO 22301 – ??

Sources: *www.bsigroup.com**www.iso27001certificates.com**http://www.nqa.com/en/atozservices/what-is-iso-14001.asp

Q & A