Re: What companies do a good security audit/review

[Bob Bayn <Bob.Bayn () USU EDU>]

Mark Bruhn wrote from Indiana U:
> Depending on what you want, you may also identify a respected
> colleague from another like-institution, ask that person to put a
> team together, and have a peer review done?  I have said many times
> that we do not do enough of that, while handing a lot of money to
> companies that walk in with no clue as to higher education culture,
> environment, and operations.

We recently had a 3 day security audit performed here under the
auspices of the State Board of Regents.  The audit team was composed
of security folks from other Utah schools (and we are invited to
participate as the team repeats the circuit of other schools). We
learned a lot and got somewhat independent confirmation of the
things that we recognize (in IT Security) are in need of more
administrative support.  In our case, this approach helps to break
down the institutional silos, building relationships with our nearby
peers who share the same issues, both technical and political.  We
had a networking audit by a fairly well known consulting group in
the past year and I didn't see the level of big-city insight brought
to us mountain podunks that I expected.  But they did provide the
necessary external confirmation to our administration of our needs
and deficiencies.  Why is it that administrators never trust the
views and advice of the people they hire and pay every day; but
place great weight in the views of an outsider who drops in, writes
a report and then goes away?

Bob Bayn
IT Security Team coordinator
Utah State University
Cache Valley, Utah