If you do not have a procurement department taking care of the Request for Proposal (RFP) process for you, and especially if cloud-based providers are new to you, here are some tips for planning for the RFP process. (Planning is important; remember the carpenters’ creed: “measure twice, cut once.”)
Recognize that you have more power now than you do after you sign the contract
Don’t feel guilty about being selective, and let your prospective vendors know that you may be deliberate in this process, but once you go live you are excited to move quickly and partner in a win-win relationship.
Be up front about your data security and compliance requirements
Whether it is PCI, GDPR, HIPAA, or SOC, be up front about requirements early in the process. The sooner you can determine if there are gray areas, the better. And if they are not a fit, you may find out quickly and move on to the next option.
Don’t be shy about protecting your organization
Cyber liability insurance – In addition to business continuity and disaster recovery plans, you may want to evaluate their insurance coverage. BCP and DR plans are great, but insurance can cover many unknowns.
Code in escrow – If the provider is mission critical and you may become one of their largest customers, you may be able to require copies of the code in escrow (or an equivalent legal relationship). This can protect you in the event that their business model or ownership takes them in a different direction, and you would like the option to maintain the service yourself.
Be specific about who owns the data (or which data). Whether individual privacy or customer confidentiality is involved, determining rights and responsibilities over primary data as well as metadata is worth considering. Even if the value is uncertain today, better to address this up front than later on.
What are the exit options and related costs? (nothing lasts forever!)
- How quickly will we be able to get our data and what formats are available?
- What is reasonable for being able to trigger an exit?
- How much lead time is either side required to provide in the event of a significant change? (This may be more about setting expectations than about SLAs, but having something in writing is a good starting point.)
Include reporting metrics important to you in the contract – this may be as simple as your SLAs, or may relate to compliance verification (i.e. What month every year can you expect annual verification of HIPAA / PCI / HECVAT or SOC 2 compliance?)
Call the references
Time spent calling references can illuminate strengths and weaknesses of the vendor in question for sure. You can learn about their history, service and how well they partner after the contract is signed.
Perhaps equally valuable, you may make a connection who has considered other options, risks or opportunities that you haven’t considered. Be open to unexpected learnings.
Ask for assurance up front
We are big fans of SOC 1 and SOC 2 reports for verifying the design and effectiveness of the control environment every year, however there are many other compliance verifications that may be a better fit for your organization (such as ISO, NIST, PCI or HECVAT compliance).