5 hours 58 minutes
Welcome back to Cyber is, of course, I'm your instructor. Brad Roads.
Let's talk about the acquisition process.
So in this lesson, we're gonna look at security requirements, contract supply, chain risk and source selection as related to acquisition. Why do we do acquisition? Well, sometimes it's cheaper and faster to actually buy something than it is to build it ourselves.
So when we talk about procuring something as an ISI, we need to understand those security requirements. We're going to start with boundaries. Uh, is this system gonna be connected to the Internet? I e external. If it is, that drives our requirements that if it's an internal matter, then obviously that's different.
We need to look at Resource Is hardware, software connectivity. Hardware is pretty straightforward. If we're building, say, a private cloud, then we need tohave the hardware that goes with it. If we're gonna serve software solution that is a unique and developed or built by our company or something we're buying, we have to know where to host that. We need to know how much storage space it needs
when it comes to connectivity. Pretty straightforward. If we're connecting a high bandwidth requirement to the Internet. We might have to buy mawr connectivity that we don't have. That's a cost that we have to pay attention to.
We wanna look at controls. There's technical nontechnical. We've already talked about the fact that technology is not the solution to everything. Techno nontechnical controls are valid security requirement.
And of course, there's the preventive and detective type. Controls the preventive control. Stop something from happening like an intrusion prevention system or a firewall. Detective controls like an intrusion detection system itself versus prevention is only going to tell you that something's happening and helps you to catch that. Simms can also be, say, detective controls
because they can let you do retrospective looks at logs after the fact.
Um, and then we were gonna look at business needs. We've already talked about cost schedule scope. Remember that triangle I told you, you should memorize? Well, here it is again. You're going to see this again, I think, in another slide.
But then, another thing when we think about business is the legal and regulatory requirements, the laws, if you will, in the jurisdiction that we're operating in if you're operating in Europe under G d. P. R That's an entirely different set of requirements you have to pay attention to versus, say, operating in the United States or Japan or other countries
in acquisition. We're going to do contracts work. We may not be the folks that actually negotiate. The contract is issues, but we need to understand the types of contracts because that drives the types of support we get really three kinds. I want you to remember fixed, priced, cost, reimbursable and TNM or time and materials. Ah, fixed price contract delivers a
a fixed price stuff
fixed costs So all of the risk is on the seller. So if a seller comes in and says, Hey, it's gonna cost me 100 bucks to build that widget for you and it ultimately cost them 120 bucks,
we still are buying it from that 100 from them at 100 bucks. So they're losing 20 bucks
That's where we're actually doing cost of work. Eso if if a an organization comes in that we're contracting with and says, Hey, it's gonna cost you ah, $100 an hour, plus
related expenses of say, you know, cloud capabilities and travel
they're not gonna build any more than that on DSO that's cost reimbursable.
Then we have tnm time and materials. This is a contract, and this is probably the most expensive one of the bunch here is that's an unknown scope of work. We have no idea what we need done, and so we ask somebody to come in and help us. This is what consultants like. They really want tnm contracts because then they could just continue to Bill and Bill and Bill and Bill.
I'm not saying that's a bad contract. I'm just saying that you just don't know the scope of work
supply, chain risk, my goodness. So in today's globalization Oh, our globalized world, the inter connectivity of everything from a supply chain perspective incredibly important to understand these different areas raw materials come from all over the place. The labor that helps to produce them is wide and varied. Depending on where you go in the world,
the quality of manufacturing may or may not be up to snuff, so you might actually have to go to a overseas manufacturing
plant and and check and see what's going on, things that are also forgot when it comes to supply. Chain risk is like natural disasters. What if your supplier your primary supplier of some capabilities in the Philippines? And we know that every year the Philippines gets hit with two or three typhoons, hurricanes like things, right? Well, guess what. You need a plan that you need to understand that might disrupt your supply chain
geopolitical issues. Wow. Um,
not every country follows the same sets of laws or same sets of ethics, and so you might actually see supply change disrupted because if they a conflict between one country and another, So that's incredibly important understanding. Build into your plan.
And then, of course, there's theft of intellectual property that is happening mawr and more frequently. There are a number of countries that are obviously accused of doing that, but it's something we need to be a pay attention to. If somebody steals your intellectual property and gets to market faster with the same product that you are building, you're losing out. And so all of these things
Ah, supply chain risk and we need to, as it sees build that into our plans when we're actually looking at procuring, are acquiring raw materials or pieces and parts or modules from different locations around the world.
Then we have source selection. Obviously, we have to make a choice. We have to decide. Is that supplier of a widget or is that supplier of a service going to meet our needs? We have to make the choice. And how do we make that choice? We look at those three things we've talked about previously. Scope, schedule and cost. Right. So when it comes to scope, we're gonna provide,
uh, when we do ah, bit or a bit an RFP request
proposal. We're gonna tell people what is the threshold or the minimum things a a particular widget or service or whatever we need has to meet, and then we're gonna give them some objectives. And that becomes the definitive ization, if you will, of what's good or bad or what's better or not, Right? So if somebody comes in and says, I could meet all your threshold requirements and I could do three of your objective requirements and this other
person making a bit says, Well, I can only do
one of those objective requirements. I'm thinking we might be looking at that person that's going to be able to meet the threshold and more objective requirements.
The next one is cost.
Obviously, cost is the bottom line thing here. When we talk about development of complex systems, if somebody comes in way over budget, we're probably not gonna buy from them. And there's a risk there, right? If you go with the lowest bidder right, you might actually incur more risk. So it's a balance when we think about costs and then finally schedule.
If somebody comes in and says, I'll meet your schedule and get you get you the product or widget or service a month early,
that's great, right? That might actually help us. But,
um, what happens if they get delayed right or what happens if they are saying that? But then in the end, they don't deliver right. So you've had a problem with schedule, so thes air, all selections when we're trying to buy something. We've gotta look at each of these areas in depth, as it sees, especially when it comes to security controls.
So what have we covered in this lesson of acquisition? We talked about security requirements, things you need to consider their talked about the different types of contracts. Remember, TNM is the most expensive.
We looked at supply change risk in the era of globalization on interconnected supply chains. It it's so much harder today to understand what those risk totally are. And then, of course, source selection. We've got to choose cost schedule scope. That's our criteria for making choices on whether or not we're gonna buy a particular widget or service from a particular vendor.
We'll see you next time.
Certified Information Systems Security Professional (CISSP) 2021
CISSP is the basis of advanced information assurance knowledge for information security professionals. Often referred ...
16 CEU/CPE Hours Available
Certificate of Completion Offered
ISC2 CISSP Practice Test: Certified Information Systems Security Professional
There is a growing need for information security leaders who possess the depth of expertise ...