Problem
Congratulations on joining ACME Widgets Inc as the senior security specialist. On your second week, the CFO invites you to an urgent meeting. He has just read about a MAJOR Vulnerability discovered in On-Prem Exchange Email servers, which he does not quite understand. The vulnerability is of an RCE type and may allow threat actors to compromise the servers and gain ROOT access. ACME's Exchange 365 does the majority of the email for the organization and is considered their most critical system. The CFO also mentioned that it has been a while since they last performed any security assessments on the environment and, as such, he is very worried and would like you to perhaps bring a 3rd party as soon as possible. ACME would need to go to RFP to find the best vendor for this project. What are some of the parameters you would need to consider in order to write the RFP and choose the best vendor for the job? Some of the questions you might want to consider are: Type of assessment needed (PT/VA/Health checks)? Black/White/Grey Box methodology? What systems will you include in the test, or exclude? Qualifications of the 3rd party?