My firm does a significant number of requests for proposals for clients and a version of what Mr. Harvey has commented on is occasionally part of the RFP (depends on the thing being procured). Where reasonable, the initial RFP will reference SSAE16 or the like but I prefer a list of questions for the same reasons Mark McCul articulated previously in this thread. When doing a large procurement and particularly a competitive procurement for a public institution, accepting your standard document may not allow for acceptable (to the procurement office) as it doesn't allow easily for "apples to apples" comparisons. When doing these procurements we realize how much of a pain the response process is and try to keep the effort as much in check as possible while balancing the due diligence and procurement requirements. One part of the balancing act that may not be entirely obvious is the need to ease the proposal review process both for us, and more importantly, for the client who doesn't tend to have the same experience in analyzing proposals. Putting the RFP respondent through extra effort is preferable to putting the client through that effort.
Jon On Wed, Oct 30, 2013 at 5:54 PM, Warner <[email protected]> wrote: > On Wed, Oct 30, 2013 at 04:47:45PM -0400, Mark McCul([email protected]) > wrote: > <snip> > > The yes/no nature is specifically to reduce confusion and minimize > "answering a different question." It also serves as a point for vendors, > many of whom want to know your security policies to influence their future > product design. Sometimes, it's the little changes that make a big > difference. > <snip> > > Yes/no often ties to a risk model and enables easier summary reporting. > > > Warner > _______________________________________________ > Discuss mailing list > [email protected] > https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss > This list provided by the League of Professional System Administrators > http://lopsa.org/ >
_______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
