Which of the following is the BEST method for evaluating a new vendor's security posture before awarding a contract?