Educause Security Discussion mailing list archives
Re: What companies do a good security audit/review
From: Ozzie Paez <ozpaez () SPRYNET COM>
Date: Fri, 14 Mar 2008 12:31:12 -0700
Mark, There are two issues to consider: The RFP and the consulting company. Of the two, the RFP is often the most important because it allows you to match your specific needs to the consulting company's capabilities. I have been on a variety of teams that had little guidance and, under those conditions, the security consultants reverted back to what they knew and liked to do. For example, a security company that knows all about firewalls and their associated rule sets may not be the best choice to examine data flows to ensure that data regulated under a variety of privacy laws are not leaking out of your organization or into your organization. Companies that are very good at defining/auditing organizational policies, procedures and contracts to ensure compliance with the ever growing number of laws and regulations may not have the full skill set to translate them into solutions, audit their implementation, etc. Just make sure that you know precisely what you want, why you want it and what regulations (and there are always multiple of these) apply. Make sure that you include all appropriate NDA statements and controls in the RFP. For example, you may require that all consultants have received appropriate background checks so that a hacker or criminal with a history is not brought in as one of your 'security consultants', etc. Now, once you have an RFP that covers what you want and what you expect to receive, you can then move forward and identify candidate companies to carry out the work. From experience, I can tell you that many audits have so many holes in them that they are basically very expensive placebos. When that happens, it is usually because the RFP was not sufficiently detailed and the company or companies doing the work essentially packaged a deliverable that they could do within budget. If you can give me a bit more information on what kind of audit you are looking for, I should be able to point you to multiple sources with a good reputation. Let me know, Ozzie Paez SSE/CISSP SAIC 303-332-5363 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU]On Behalf Of Mark Berman Sent: Friday, March 14, 2008 5:06 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] What companies do a good security audit/review Hi all, I am trying to send out an RFP for a security review/audit here at Williams. I have a couple of consulting companies that I've heard good things about whom I will include in the RFP distribution, but I would like a wider selection. The two I know about now are Bearhill and Akibia. I've heard through the grapevine that many companies that do this kind of work are not doing a very good job due to personnel constraints (too much demand for security experts these days). SO: Do you know of any vendors that I should include on my list? Any vendors I should specifically NOT include? Any negative word on the two companies I already have on my list (negative because what I've heard so far is positive). Any help will be much appreciated. - Mark -- Mark Berman, Director for Networks & Systems Williams College, Office for Information Technology *** Please consider the environment before printing this message
Current thread:
- What companies do a good security audit/review Mark Berman (Mar 14)
- <Possible follow-ups>
- Re: What companies do a good security audit/review Sealey, Adam L. (Mar 14)
- Re: What companies do a good security audit/review St Clair, Jim (Mar 14)
- Re: What companies do a good security audit/review Bruhn, Mark Steven (Mar 14)
- Re: What companies do a good security audit/review Bob Bayn (Mar 14)
- Re: What companies do a good security audit/review John Ladwig (Mar 14)
- Re: What companies do a good security audit/review Bruhn, Mark Steven (Mar 14)
- Re: What companies do a good security audit/review Darwin Macatiag (Mar 14)
- Re: What companies do a good security audit/review Ced Bennett (Mar 14)
- Re: What companies do a good security audit/review Jim Dillon (Mar 14)
- Re: What companies do a good security audit/review Ozzie Paez (Mar 14)