SAS70 Outsourcing Project Implementation Contracts Evaluation Checklist

Download Free SAS70 Outsourcing Project Implementation Contracts Evaluation Checklist

Purpose
This section describes in simple terms the purpose of the evaluation, how it relates to the customer, and the benefits the organization will receive from the evaluation process. It is essential that you use common terminology relevant to the organization to ensure that this material is understood.

Methodology
This section describes the methodology that will be used to conduct the evaluation. This is a good place to emphasize the IEM as a standard methodology to conduct technical INFOSEC evaluations, developed and approved by the National Security Agency. This section includes the phases, processes, and steps to be used during the evaluation.

Scope
This section is a detailed demonstration of the level of effort, boundaries, and limitations of the evaluation. Appropriate assumptions are a critical part of the scoping process. The scope section provides a detailed listing of known assumptions affecting the evaluation. Assumptions are critical in demonstrating an understanding of the customer environment and detailing how that environment will affect the evaluation. The types of assumptions may include number of physical locations, number and type of systems, number and type of networks, relevant POC information, information about scheduling of the technical scans and conducting the 10 baseline IEM activities, and any associated constraints that can be listed as assumptions.

Roles and responsibilities of customer staff
This section identifies the expectations of the customer’s staff to support the evaluation effort. Activities can include introductions, scheduling, coordination, and communications. Utilize this space to ensure that the customer has an understanding of what they need to do to support the evaluation effort.

Roles and responsibilities of the evaluation team
This section identifies the expectations and responsibilities of the evaluation team to support and communicate with the customer staff.

Deliverables
An accurate list of deliverables with a brief description of each will assist in managing expectations. Often the customer’s expectations of a deliverable will be different than what was planned by the evaluation team. Ensuring that you have given an accurate description of the deliverables in the signed agreement is important to the process.

Change control
This section identifies the process for managing change within the terms of the contract to avoid “scope creep” and out-of-scope work. Change control should include a process whereby both the customer and the evaluation team will approve any changes to the scope of the effort as well as any related cost changes.

Letter or authorization requirement
Due to the nature of the evaluation effort, a formal approval to conduct the evaluation must be given in writing to avoid issues with law enforcement and other security-monitoring agencies. A copy of this letter of authorization should be in the evaluator’s possession any time they are conducting the evaluation effort. Before the Evaluation Starts

Period of performance
The necessary schedule for the evaluation can be extremely important. Gaining an understanding of customer availability and the consultant’s availability is key to planning a successful evaluation. Depending on the schedule requirements, it might not be possible to list specific dates at this point. If this is the case, be sure to include the expectation of time for activities so the customer’s staff can look at their calendars and begin planning when the evaluation makes sense.

Location of the work
Work location fi gures directly into the cost of the evaluation. In this section, be sure to list where the onsite work is to be conducted, where offsite work is to be conducted, whether multiple locations will need to be visited, and where the analysis and reporting will be conducted. Be sure to take into account whether the evaluation team will be dealing with classifi ed information and the potential necessity for additional security controls while conducting evaluation activities.

Service fees with any relevant quotation notes
This is your pricing table for the effort. Be as detailed as possible to show the plan of action along with associated costs. The actual cost of your evaluation service depends entirely on your own organization’s policy and will not be addressed.

Payment schedule
Generally, net 30 days or net 45 days are common payment schedules. However, with some customers, you might have to work out a special agreement for payment

Deliverable acceptance/rejection process
This section identifies the process for accepting or rejecting a deliverable and how to resolve issues. It is also important to establish timeframes for when draft deliverables become final deliverables, if the customer does not provide any comments on the deliverables.

Signatures
The signature section of the contract addresses your organization’s approved statement of terms and conditions. The acceptance section may include information on the length of the agreement, scheduling coordination requirements, termination terms and costs, any other related penalties for cancellation, and acceptance of the terms of the proposal/agreement.

Organizational qualifications
This section describes and demonstrates how your organization is best qualified to execute the work the customer requires. This will likely be a detailed background of your organization, your organization’s qualifi cations, qualifications of the proposed members of the team, and how those qualifi cations will assist the customer in meeting their goals.