A procurement specialist is drafting a request for proposal (RFP) to acquire a cloud-based HR application that will store sensitive employee information. According to best practice for the acquisition/procurement process, why is it critical to embed explicit security requirements in the RFP and contract rather than waiting until after the system goes live?
To ensure security controls are integrated into the design and contractual obligations from the beginning, reducing overall risks and retrofit costs
To avoid the need for any further security assessments or monitoring once the system is deployed
To transfer the responsibility for security entirely from the organization to the external vendor
To merely comply with external audit requirements, with minimal focus on actual security postures
Including detailed security requirements during procurement ensures that controls are built into the service design and contract, binding the vendor to those obligations and reducing risk from the outset. Retrofitting security after deployment is typically more costly and leaves the organization exposed to avoidable threats while changes are made.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is it more expensive to retrofit security controls after deployment?
Open an interactive chat with Bash
What are some examples of specific security requirements that should be included in an RFP?
Open an interactive chat with Bash
How does embedding security requirements in the RFP help reduce risk?