Security Assessment -- Firms and Costs

[Kevin Casey <CaseyK () HUSSON EDU>]

Good morning.
 
We have a common-enough story: we're a small university (3k students, a third of whom live on campus) with an 
under-staffed IT department.  We've got the "annoyance" threats contained, and have some data security safeguards in 
place to help keep us off the front page of our local newspaper, but we've never done a large, thorough technical 
audit.  
 
Some research has revealed assessment firms and rough pricing.  Some in our administration, however, seem 
surprised/appalled that it would cost this much.
 
So I'm looking for a little more evidence that, yes, it does cost this much.
 
I was hoping that folks might be willing to share in brief their experiences with this, something like, "We've got 5k 
students, we used this firm, and it cost about $x at the end of the day."  We're looking for pretty complete 
internal/external vulnerability/penetration testing, a review of our policies, and a focus on about five applications.  
The chief goal is to prevent an episode where student/employee data is compromised.
 
I understand student numbers is not the best unit of comparison (as opposed to IP addresses, etc.), but I'm just 
looking for rough figures.
 
Thanks!
 
Kevin Casey
Husson University