How should CISO define the requirement for solutions related to the Firewall domain?
- To ascertain total throughput required. The requirement be finalized keeping in view the current traffic as well as expected increase in volumes over at least next 3-5 years.
- To ascertain what is the throughput required for individual interface.
- How many interfaces are required in the firewall.
- Do we require additional modules (IPS, anti spoofing etc). If yes then what are those.
- Any technological constraint or specific requirement
( Read more: Database Security Vendor Evaluation Guide )
What are the key parameters based on which CISO would choose a vendor for the same?
- Vendor should have prior experience in supply,installation and maintenance of information security devices. The projects should have been of comparable size. Number of successful deployments should be considered.
- Vendor should be authorized partners of the OEM of the equipment to be supplied.
- Previous record of supply and maintenance/ business dealings should be unblemished and of having successfully supplied and deployed information security equipment
- Should have qualified staff on roles for support for supplied equipment. These staff should hold the certifications on the product from the OEM.
- Licensing and free requirements are crystallized on various factors like throughputs, components, applications, sites etc.
( Read more: Technology/Solution Guide for Single Sign-On )
Top Questions to ask vendor for evaluating the offering/Vendor Evaluation Checklist
- Proposed solution should not be nearing end of life / end of sale / end of support currently. Residual life to be at least 5 years
- Life road map of system should ensure that the solution is covered under support for period of at least 5 years from date of purchase / installation by OEM
- What is the support structure of vendor and how will the support be provided (on-site, off-site, remote, session logs and audit)
- How the updates / patches be made available (online and regular updates are preferable / fixed frequency)
- What is the SLA (with specific reference to Uptime Assurance, Turn Around Time)
- What is the level of engagement with OEM for the supply (It should be supply and support)
- Responsibilities of the OEM towards the purchaser (for supply, installation and maintenance)
- What if the front ending of the existing vendor ends abruptly, whether OEM provides an alternative and of what quality/ assurance.
( Watch more : Attacks on Smart TV and Connected Smart Devices )
Top mistakes to avoid while selecting a vendor?
- Solution should not be nearing its end of life / end of support
- There should be no ambiguity regarding the terms and conditions of services
- Tenure of engagement of services of the vendor should be amply clear and accepted in writing by both the parties
- Verification of the documents submitted by vendors should be done from original source or alternate source before selection
- Price discovery should be done where ever possible.
-Sunil Soni, CISO, Asstt. General Manager, Punjab National Bank tells CISO Platform about Selecting Firewall Vendors