III

SEC 4320, IS Security Capstone 1

Course Learning Outcomes for Unit II Upon completion of this unit, students should be able to:

1. Compile a vulnerability assessment using the current security posture. 1.1 Prioritize those threats or risks which could affect the security measures of the product or

services.

4. Propose a security plan for a project solution. 4.1 Correlate resolutions for the project security strategy.

5. Construct preventative measures to ensure critical assets are secure.

5.1 Audit critical assets to ensure accurate preemptive actions are taken. Required Unit Resources In order to access the following resources, click the links below. Buddeberg, R. (2002, February 18). Finding vendor is a step-by-step process. Marketing News, 36(4), 10.

https://search-proquest- com.libraryresources.columbiasouthern.edu/docview/216414961?accountid=33337

Faletra, R. (2013, February 1). Revisiting vendor assessment. CRN: The newsweekly for builders of

technology solutions. https://search-proquest- com.libraryresources.columbiasouthern.edu/docview/1288824197?accountid=33337

Gigoo, S. (2007). IT infrastructure qualification and system validation: IT vendor perspectives. Pharmaceutical

Technology, 31(1), 60–72. https://link.gale.com/apps/doc/A159643843/AONE?u=oran95108&sid=AONE&xid=4ad32850

Unit Lesson The vendor assessment is one of the many important topics within your request for proposal. The vendor assessment allows for potential and/or recurring vendors to know your requirements regarding how the product or services will be developed. For example, let’s say you are looking for a new vehicle, and your requirements are that it must seat six individuals comfortably and must have air conditioning, heating, power windows, defroster, and a six-cylinder engine that gets at least 20 miles to the gallon. Now that you have your requirements, the next step is to contact and alert the different vendors (car dealerships) that you are in the market for a new car. You personally contact the vendor through email, telephone, or in person at the dealership and provide them with your requirements. The information the vendors (car dealerships) will want to know is the expected delivery date of the new car, preferred car color, type of warranty you want, any accessories you would like, and the maintenance plan you would like. Even the reputation of the dealership factors into the vendors’ assessment and scoring. According to Buddeberg (2002), there are three steps that you should follow when choosing the vendor that you wish to work with:

• self-assessment, which helps you determine what you need or do not need and what you might like to have;

• vendor assessment, which helps you determine what each vendor offers; and • vendor scoring, which helps you determine which vendor is the best one for your needs.

UNIT II STUDY GUIDE Vendor Assessment

SEC 4320, IS Security Capstone 2

UNIT x STUDY GUIDE Title

With the information you provided in the self-assessment and the information gathered from the different vendors, you should be able to create a checklist in which you list your product expectations and the services that each vendor provides. In addition, the vendor checklist includes each vendor’s pros and cons, strengths and weaknesses, or certain services the vendor provides that might be a threat (such as a vendor offers a warranty that only covers the first 5,000 miles or the dealership has only a two-and-a-half star rating). From the perspective of information technology, it is recommended that you read the article “IT Infrastructure Qualification and System Validation: IT Vendor Perspectives”. This article provides an insight into vendor assessment for information technology using pharmaceutical technology. The contents of the vendor assessment checklist should include at least the vendor name, purpose, services, accessibility, and maybe a risk level. This checklist should include the requirements for the product and/or services along what is also expected from the vendor. Once the client receives the completed vendor assessment portion of the request for proposal, the client can determine which vendor best fits the specifications to work on the product. The checklist should also address the solutions to any possible threats or risks, what proactive measures to take to avoid or reduce the threats or risks, and, most importantly, how to prioritize the threats or risks for the products or services. As Faletra (2013) mentions, the client should look at a vendor’s cost transfer, a vendor’s motivate versus mandate approach to the economy, and a vendor’s willingness to put all its resources behind the project. Please view the video Better Prices From Suppliers | Cost Saving Purchasing Tips to gain more of an understanding of cost savings. (A transcript and closed captioning are available once you access the video.) As you read through the various articles by Buddeberg (2002), Faletra (2013), and Gigoo (2007) found in the Required Unit Resources section of your study guide, you will see that each author had different ways of looking at vendor assessments. Consequently, there is no wrong or right way for a client to create a vendor assessment. Of course, the only wrong way is not to have a vendor assessment at all. Below is an example of a simplified vendor assessment checklist.

Client Vendor Checklist

Item Equipment Inventory

Facilities Work Experience

How Many Employees

Equipment/ Applications

Needed

Maintenance

1. Use and Develop Personally Identifiable Information (PII)

25 Workstations

Main Office and Warehouse

2. Security Transmission of PII

3 Servers Main Office and Warehouse

3. Maintain PII Devices

3 Servers Main Office and Warehouse

4. PII Threats Main Office and Warehouse

The client needs to utilize personally identifiable information (PII) in order to conduct business within the organization. As with other organizations, the client has a number of workstations and servers but have no other information on how to enable the PII. The client develops a checklist for vendors to determine what work experience they have, to pinpoint how many employees will be needed for this project, and to identify what additional equipment and/or applications will be used. The checklist should also include the maintenance cost for the life of the system. In addition, the vendor should identify the PII threats. This is just a simplified checklist to provide an idea of what vendor assessment documentation looks like. The Internet provides many more examples of vendor assessments, so take advantage of the research on vendor checklists/assessments.

SEC 4320, IS Security Capstone 3

UNIT x STUDY GUIDE Title

References Buddeberg, R. (2002, February 18). Finding vendor is a step-by-step process. Marketing News, 36(4), 10.

https://search-proquest- com.libraryresources.columbiasouthern.edu/docview/216414961?accountid=33337

Faletra, R. (2013, February 1). Revisiting vendor assessment. CRN: The newsweekly for builders of

technology solutions. https://search-proquest- com.libraryresources.columbiasouthern.edu/docview/1288824197?accountid=33337

Gigoo, S. (2007). IT infrastructure qualification and system validation: IT vendor perspectives. Pharmaceutical

Technology, 31(1), 60–72. http://search.ebscohost.com.libraryresources.columbiasouthern.edu/login.aspx?direct=true&db=edb& AN=23841509&site=eds-live&scope=site

SEC 4320, IS Security Capstone 1

Course Learning Outcomes for Unit II Upon completion of this unit, students should be able to:

1. Compile a vulnerability assessment using the current security posture. 1.1 Prioritize those threats or risks which could affect the security measures of the product or

services.

4. Propose a security plan for a project solution. 4.1 Correlate resolutions for the project security strategy.

5. Construct preventative measures to ensure critical assets are secure.

5.1 Audit critical assets to ensure accurate preemptive actions are taken. Required Unit Resources In order to access the following resources, click the links below. Buddeberg, R. (2002, February 18). Finding vendor is a step-by-step process. Marketing News, 36(4), 10.

https://search-proquest- com.libraryresources.columbiasouthern.edu/docview/216414961?accountid=33337

Faletra, R. (2013, February 1). Revisiting vendor assessment. CRN: The newsweekly for builders of

technology solutions. https://search-proquest- com.libraryresources.columbiasouthern.edu/docview/1288824197?accountid=33337

Gigoo, S. (2007). IT infrastructure qualification and system validation: IT vendor perspectives. Pharmaceutical

Technology, 31(1), 60–72. https://link.gale.com/apps/doc/A159643843/AONE?u=oran95108&sid=AONE&xid=4ad32850

Unit Lesson The vendor assessment is one of the many important topics within your request for proposal. The vendor assessment allows for potential and/or recurring vendors to know your requirements regarding how the product or services will be developed. For example, let’s say you are looking for a new vehicle, and your requirements are that it must seat six individuals comfortably and must have air conditioning, heating, power windows, defroster, and a six-cylinder engine that gets at least 20 miles to the gallon. Now that you have your requirements, the next step is to contact and alert the different vendors (car dealerships) that you are in the market for a new car. You personally contact the vendor through email, telephone, or in person at the dealership and provide them with your requirements. The information the vendors (car dealerships) will want to know is the expected delivery date of the new car, preferred car color, type of warranty you want, any accessories you would like, and the maintenance plan you would like. Even the reputation of the dealership factors into the vendors’ assessment and scoring. According to Buddeberg (2002), there are three steps that you should follow when choosing the vendor that you wish to work with:

• self-assessment, which helps you determine what you need or do not need and what you might like to have;

• vendor assessment, which helps you determine what each vendor offers; and • vendor scoring, which helps you determine which vendor is the best one for your needs.

UNIT II STUDY GUIDE Vendor Assessment

SEC 4320, IS Security Capstone 2

UNIT x STUDY GUIDE Title

With the information you provided in the self-assessment and the information gathered from the different vendors, you should be able to create a checklist in which you list your product expectations and the services that each vendor provides. In addition, the vendor checklist includes each vendor’s pros and cons, strengths and weaknesses, or certain services the vendor provides that might be a threat (such as a vendor offers a warranty that only covers the first 5,000 miles or the dealership has only a two-and-a-half star rating). From the perspective of information technology, it is recommended that you read the article “IT Infrastructure Qualification and System Validation: IT Vendor Perspectives”. This article provides an insight into vendor assessment for information technology using pharmaceutical technology. The contents of the vendor assessment checklist should include at least the vendor name, purpose, services, accessibility, and maybe a risk level. This checklist should include the requirements for the product and/or services along what is also expected from the vendor. Once the client receives the completed vendor assessment portion of the request for proposal, the client can determine which vendor best fits the specifications to work on the product. The checklist should also address the solutions to any possible threats or risks, what proactive measures to take to avoid or reduce the threats or risks, and, most importantly, how to prioritize the threats or risks for the products or services. As Faletra (2013) mentions, the client should look at a vendor’s cost transfer, a vendor’s motivate versus mandate approach to the economy, and a vendor’s willingness to put all its resources behind the project. Please view the video Better Prices From Suppliers | Cost Saving Purchasing Tips to gain more of an understanding of cost savings. (A transcript and closed captioning are available once you access the video.) As you read through the various articles by Buddeberg (2002), Faletra (2013), and Gigoo (2007) found in the Required Unit Resources section of your study guide, you will see that each author had different ways of looking at vendor assessments. Consequently, there is no wrong or right way for a client to create a vendor assessment. Of course, the only wrong way is not to have a vendor assessment at all. Below is an example of a simplified vendor assessment checklist.

Client Vendor Checklist

Item Equipment Inventory

Facilities Work Experience

How Many Employees

Equipment/ Applications

Needed

Maintenance

1. Use and Develop Personally Identifiable Information (PII)

25 Workstations

Main Office and Warehouse

2. Security Transmission of PII

3 Servers Main Office and Warehouse

3. Maintain PII Devices

3 Servers Main Office and Warehouse

4. PII Threats Main Office and Warehouse

The client needs to utilize personally identifiable information (PII) in order to conduct business within the organization. As with other organizations, the client has a number of workstations and servers but have no other information on how to enable the PII. The client develops a checklist for vendors to determine what work experience they have, to pinpoint how many employees will be needed for this project, and to identify what additional equipment and/or applications will be used. The checklist should also include the maintenance cost for the life of the system. In addition, the vendor should identify the PII threats. This is just a simplified checklist to provide an idea of what vendor assessment documentation looks like. The Internet provides many more examples of vendor assessments, so take advantage of the research on vendor checklists/assessments.

SEC 4320, IS Security Capstone 3

UNIT x STUDY GUIDE Title

References Buddeberg, R. (2002, February 18). Finding vendor is a step-by-step process. Marketing News, 36(4), 10.

https://search-proquest- com.libraryresources.columbiasouthern.edu/docview/216414961?accountid=33337

Faletra, R. (2013, February 1). Revisiting vendor assessment. CRN: The newsweekly for builders of

technology solutions. https://search-proquest- com.libraryresources.columbiasouthern.edu/docview/1288824197?accountid=33337

Gigoo, S. (2007). IT infrastructure qualification and system validation: IT vendor perspectives. Pharmaceutical

Technology, 31(1), 60–72. http://search.ebscohost.com.libraryresources.columbiasouthern.edu/login.aspx?direct=true&db=edb& AN=23841509&site=eds-live&scope=site