How should CISO define the requirement for solutions related to the Firewall domain?

•  To ascertain total throughput required. The requirement be finalized keeping in view the current traffic as well  as expected increase in volumes over at least next 3-5 years.
•  To ascertain what is the throughput required for individual interface.
•  How many interfaces are required in the firewall.
•  Do we require additional modules (IPS, anti spoofing etc). If yes then what are those.
•  Any technological constraint or specific requirement

( Read more:  Database Security Vendor Evaluation Guide )

What are the key parameters based on which CISO would choose a vendor for the same?

• Vendor should have prior experience in supply,installation and maintenance of information security devices. The projects should have been of comparable size. Number of successful deployments should be considered.
• Vendor should be authorized partners of the OEM of the equipment to be supplied.
• Previous record of supply and maintenance/ business dealings should be unblemished and of having successfully supplied and deployed information security equipment
• Should have qualified staff on roles for support for supplied equipment. These staff should hold the certifications on the product from the OEM.
• Licensing and free requirements are crystallized on various factors like throughputs, components, applications, sites etc.

( Read more:  Technology/Solution Guide for Single Sign-On )

Top Questions to ask vendor for evaluating the offering/Vendor Evaluation Checklist

• Proposed solution should not be nearing end of life / end of sale / end of support currently. Residual life to be at least 5 years
• Life road map of system should ensure that the solution is covered under support for period of at least 5 years from date of purchase / installation by OEM
• What is the support structure of vendor and how will the support be provided (on-site, off-site, remote, session logs and audit)
• How the updates / patches be made available (online and regular updates are preferable / fixed frequency)
• What is the SLA (with specific reference to Uptime Assurance, Turn Around Time)
• What is the level of engagement with OEM for the supply (It should be supply and support)
• Responsibilities of the OEM towards the purchaser (for supply, installation and maintenance)
• What if the front ending of the existing vendor ends abruptly, whether OEM provides an alternative and of what quality/ assurance.

( Watch more : Attacks on Smart TV and Connected Smart Devices )

Top mistakes to avoid while selecting a vendor?

• Solution should not be nearing its end of life / end of support
• There should be no ambiguity regarding the terms and conditions of services
• Tenure of engagement of services of the vendor should be amply clear and accepted in writing by both the parties
• Verification of the documents submitted by vendors should be done from original source or alternate source before selection
• Price discovery should be done where ever possible.

-Sunil Soni, CISO, Asstt. General Manager, Punjab National Bank tells CISO Platform about Selecting Firewall Vendors

( More:  Want to share your insights? Click here to write an article at CISO Platform )