2025-10-10

Secure Purchasing

Image from Pixabay

A young family member had been in need of a new laptop for some time. You know how it goes: the device goes everywhere, the bag isn’t always handled gently, and the water bottle turns out not to be entirely leak-proof. The situation became increasingly dire: large parts of the screen had stopped working. So what do you do? You go to the store or order a new laptop online.

It certainly hurts financially, but the process usually goes smoothly. Order before midnight, receive it tomorrow (that’s how it works in the Netherlands). If you're lucky, the package is neatly delivered to your door (and not dumped in the trash bin — but that’s a story for another time).

Things are quite different at a government organization. If you need to replace laptops for tens of thousands of employees or require new software, you can’t just go to the local store or a webshop. No, you have to initiate a European tender. That’s a complex process where you must describe what you want in functional terms. You’re not allowed to specify a brand — instead, you must list desired specifications: screen size, storage capacity, amount of RAM, that sort of thing. The tender document also includes many other requirements that the product, maintenance, and supplier must meet. If a supplier cannot answer ‘yes’ to even one requirement, they’re out. The winner is the supplier who meets all conditions and offers the lowest price. You, as the buyer, have no influence over who that is or what product they offer.

Our team is responsible for security, continuity, and privacy. From these perspectives, we want to influence the ICT products and services being procured. In the past, requirements that didn’t directly relate to functionality were given a dreadful label: non-functionals. I understand the term — these requirements don’t directly concern what the product should do and thus don’t contribute to the requested functionality. But honestly, how would you feel if your input were labeled non-functional?

We came up with a solution. We created a document that bundles all the requirements we want to impose on procurement processes from our area of responsibility. And the proud title of that document is: Security Functionals Requirements (SFR). Because you know what? Security matters. Often, security actually enables things that wouldn’t be possible otherwise. Or would you want to bank online if it weren’t properly secured?

The SFR is based on the BIO document — the Baseline Information Security for Dutch government. That’s our mandatory framework, so it makes sense to use it as a starting point: if we use a product that doesn’t comply with BIO, then we as an organization don’t comply either. We’ve also added our own expertise, for example, on topics not yet addressed in BIO, such as quantum computing, which poses a serious threat to the security of our data. In other areas, we’ve included insights based on our field experience.

Our procurement officers, who formally guide such processes, naturally have opinions about the requirements. Coordination with them — including legal advisors — is therefore important. All in all, we now have a solid generic document that must be used for every ICT procurement process. It’s up to the involved architect to determine which SFR requirements are relevant for a specific tender. Often, someone from our team is also involved to support the project manager with advice and expertise.

You understand that this is not a case of ‘ordered today, delivered tomorrow’. But that was already true before the SFR existed. A European tender is inherently a bureaucratic exercise that requires due diligence. Fortunately, things are much easier for you as a consumer. Of course, even without the SFR, you’ll ensure that the product meets your security requirements. Right?

And in the big bad world…

 

No comments:

Post a Comment

Secure Purchasing

Image from Pixabay A young family member had been in need of a new laptop for some time. You know how it goes: the device goes everywhere, t...