Acquisition Process

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
5 hours 58 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Transcription
00:00
>> Welcome back to Cybrary SEs of course,
00:00
I'm your instructor, Brad Rhodes.
00:00
Let's talk about the acquisition process.
00:00
In this lesson we're going to look
00:00
at security requirements, contracts,
00:00
supply chain risk, and
00:00
source selection as related to acquisition.
00:00
Why do we do acquisition?
00:00
Well, sometimes it's cheaper and faster
00:00
to actually buy something than
00:00
it is to build it ourselves.
00:00
When we talk about procuring something as an issue,
00:00
we need to understand those security requirements.
00:00
We're going to start with boundaries.
00:00
Is this system got to be connected
00:00
to the Internet ie external,
00:00
if it is that drives a requirement set.
00:00
If it's an internal matter,
00:00
then obviously that's different.
00:00
We need to look at resources,
00:00
hardware, software conductivity.
00:00
Hardware is pretty straightforward.
00:00
If we're building, say,
00:00
a private Cloud, then we need to
00:00
have the hardware that goes with it.
00:00
If we're going to serve a software solution that is
00:00
a unique and developed or
00:00
built by our company or something we're buying.
00:00
We have to know where to host that.
00:00
We need to know how much storage space it needs.
00:00
When it comes to connectivity, pretty straightforward.
00:00
If we are connecting
00:00
a high bandwidth requirement to the Internet,
00:00
we might have to buy more
00:00
connectivity that we don't have.
00:00
That's a cost that we have to pay attention to.
00:00
We want to look at controls.
00:00
There's technical, non-technical.
00:00
We've already talked about the fact that
00:00
technology is not the solution to everything.
00:00
Non-technical controls are valid security requirement
00:00
and of course there's the preventive
00:00
and detective type controls.
00:00
Preventive controls stops something from happening like
00:00
an intrusion prevention system or a firewall.
00:00
Detective controls like an intrusion detection system
00:00
itself versus prevention,
00:00
is only going to tell you that something's
00:00
happening and it helps you to catch it.
00:00
Sims can also be say,
00:00
detective controls because they
00:00
can let you do retrospective looks
00:00
at logs after the fact.
00:00
Then we're going to look at business needs.
00:00
We've already talked about cost, schedule scope.
00:00
You remember that triangle I
00:00
told you you should memorize.
00:00
Well, here it is again, you're going to see this again,
00:00
I think in another slide.
00:00
But then another thing when we think about business
00:00
is the legal and regulatory requirements,
00:00
the laws, if you will,
00:00
in the jurisdiction that we're operating in.
00:00
If you're operating in Europe under GDPR,
00:00
that's an entirely different set of
00:00
requirements you have to pay attention to versus say,
00:00
operating in the United States
00:00
or Japan or other countries.
00:00
In acquisition, we're going to do contracts work.
00:00
We may not be the folks that
00:00
actually negotiate the contract as SEs,
00:00
but we need to understand the types of
00:00
contracts because that drives
00:00
the types of support we get.
00:00
Trully it's three kinds I want you to remember,
00:00
fixed priced, cost reimbursable,
00:00
and T&M or time and materials.
00:00
A fixed-price contract delivers a fixed price,
00:00
a fixed costs so all of the risk is on the seller.
00:00
If a seller comes in and says, hey,
00:00
it's going to cost me a 100 bucks
00:00
to build that widget for
00:00
you and it ultimately cost them 120 bucks,
00:00
we still are buying it from them at a 100 bucks,
00:00
so they're losing 20 bucks.
00:00
Cost reimbursable and that's
00:00
where we're actually doing cost of work.
00:00
If an organization comes
00:00
in that we're contracting with them says, hey,
00:00
it's going to cost you
00:00
a $100 an hour plus related expenses of say,
00:00
Cloud capabilities and travel,
00:00
they're not going to bill any more than
00:00
that and so that's cost reimbursable.
00:00
Then we have T&M, time and materials.
00:00
This is a contract and this is probably
00:00
the most expensive one of the bunch here.
00:00
That's an unknown scope of work.
00:00
We have no idea what we need done
00:00
and so we ask somebody to come in and help us.
00:00
This is what consultants like.
00:00
They really want T&M contracts
00:00
because then they can just continue to bill and bill.
00:00
I'm not saying that's a bad contract,
00:00
I'm just saying that you just
00:00
don't know the scope of work.
00:00
Supply chain risks, my goodness.
00:00
In today's globalization or globalized world,
00:00
the interconnectivity of everything
00:00
from a supply chain perspective,
00:00
incredibly important to understand these different areas.
00:00
Raw materials come from all over the place.
00:00
The labor that helps to produce them is
00:00
wide and varied depending on where you go in the world,
00:00
the quality of manufacturer
00:00
may or may not be up to snuff so you might
00:00
actually have to go to overseas manufacturing plant
00:00
and check and see what's going on.
00:00
Things that are also forgotten when it comes to
00:00
supply chain risk is like natural disasters.
00:00
What if your primary supplier of some capabilities in
00:00
the Philippines and we know that every year
00:00
the Philippines gets hit with two or three typhoons,
00:00
hurricanes like things. Well, guess what?
00:00
You need to plan that, you need to
00:00
understand that might disrupt your supply chain.
00:00
Geopolitical issues.
00:00
Wow. Not every country
00:00
follows the same sets of laws or same sets of
00:00
ethics and so you might
00:00
actually see supply chains disrupted because if,
00:00
say, a conflict between one country and another.
00:00
That's incredibly important to understand and
00:00
build into your plan.
00:00
Then of course, there's theft of
00:00
intellectual property that is
00:00
happening more and more frequently.
00:00
There are a number of countries that are
00:00
obviously accused of doing that.
00:00
But it's something we need to pay attention to.
00:00
If somebody steals your intellectual property
00:00
and gets to market
00:00
faster with the same product that
00:00
you are building, you're losing out.
00:00
All of these things
00:00
incurred supply chain risk and we need to as SEs,
00:00
build that into our plans when we're actually looking
00:00
at procuring or acquiring raw materials,
00:00
or pieces and parts or modules
00:00
from different locations around the world.
00:00
Then we have source selection.
00:00
Obviously we have to make a choice.
00:00
We have to decide is that supplier of
00:00
a widget or is that supplier of
00:00
service going to meet our needs.
00:00
We have to make a choice. How do we make that choice?
00:00
We've looked at those three
00:00
things we've talked about previously,
00:00
scope, schedule, and cost.
00:00
When it comes to scope, when
00:00
we do a bid or an RFP request for proposal,
00:00
we're going to tell people what is
00:00
the threshold or the minimum things
00:00
a particular widget or
00:00
service or whatever we need has to meet,
00:00
and then we're going to give them some objectives
00:00
and that becomes the definition,
00:00
if you will, of what's
00:00
good or bad or what's better or not.
00:00
If somebody comes in and says I
00:00
can meet all your threshold requirements,
00:00
and I could do three of your objective requirements
00:00
and this other person making a bid says,
00:00
well, I can only do one of those objective requirements.
00:00
I'm thinking we might be looking at
00:00
that person that's going to be able to meet
00:00
the threshold and more objective
00:00
requirements. The next one is cost.
00:00
Obviously, cost is the bottom-line thing here
00:00
when we talk about development of complex systems.
00:00
If somebody comes in way over budget,
00:00
we're probably not going to buy from them
00:00
and there's a risk there.
00:00
If you go with the lowest bidder
00:00
you might actually incur more risks.
00:00
It's a balance when we think
00:00
about costs. Then finally scheduled.
00:00
If somebody comes in and says,
00:00
I'll meet your schedule and get you
00:00
the product or a widget or service a month early.
00:00
That's great, that might actually help us.
00:00
But what happens if they get delayed,
00:00
or what happens if they are saying that,
00:00
but then in the end, they don't deliver.
00:00
You've had a problem with schedule.
00:00
These are all selections
00:00
when we're trying to buy something,
00:00
we've got to look at each of these areas in depth as SEs,
00:00
especially when it comes to security controls.
00:00
What have we covered in this lesson of acquisition?
00:00
We talked about security requirements,
00:00
things you need to consider there.
00:00
Talked about the different types of contracts.
00:00
Remember T&M is the most expensive.
00:00
We looked at supply chains risks in the era of
00:00
globalization and interconnected supply chains,
00:00
it is so much harder today to
00:00
understand what those risks are totally are.
00:00
Then of course, source selection.
00:00
We've got to choose cost schedule scope.
00:00
That's our criteria for making
00:00
choices on whether or not we're going to buy
00:00
a particular widget or service from
00:00
a particular vendor. Will see you next time.
Up Next