Re: Security Assessment

[James Moore <jhmiso () RIT EDU>]

I am a fan of Security Horizon out of Colorado Springs.  They understand the technical as well as the non-technical 
elements of assessments (which is what we had them do, since we had a security posture assessment that measures how the 
message at the top is translating into the technical security further down.)  

The thing that I really liked about them is that they could communicate no matter what level they were addressing.  
When they were doing the on-campus technical assessments, they had the systems administrators sit with them as they did 
the assessment.  The systems administrators said that the assessment was worth it, no matter what the other outcomes 
were.  It is not surprising, they participated in the development of the Infosec Assessment Methodology (IAM), and were 
the first ones to teach it.  Ditto for the Infosec Evaluation Methodology (IEM).  The benefits of their ability to 
communicate were a significant strength.  They also deliver on time.  They estimated 4 weeks (time to roll-up results, 
and to do the external test), and write the report, and they came in with a draft at 3 1/2 weeks.

For a more detailed description of the benefits of a security posture assessment, I have a write-up on the Educause 
site.

We also followed the posture assessment with a technical risk assessment that was done by Symantec, which was very 
aggressively priced.  Security Horizon did respond to the RFP, but Symantec demonstrated depth in some very specific 
mainframe applications, and therefore got that contract.  It was harder for me to gauge their communication 
capabilities, as the evaluation was in some specific sections of RIT, and I didn't participate in any of the sessions 
(I was giving people some space, since they were taking the initiative to gain an objective evaluation).  Their report 
was very good.

I recommend either Symantec or Security Horizon.

My 2 cents.

Jim
- - -
Jim Moore, CISSP, IAM
Information Security Officer
Rochester Institute of Technology

-----Original Message-----
From: Penn, Blake [mailto:pennb () UWW EDU] 
Sent: Thursday, April 05, 2007 2:13 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Security Assessment

Jefferson Wells is one of the few national firms that do this type of work
at reasonable prices.  They hire sharp and experienced people (I know
several of them personally and can attest to their skills) but don't
overcharge like the Big 4-type firms.  And they don't even pay me to say
this!

___________________________________________
Blake Penn, CISSP                            
Information Security Officer         
University of Wisconsin-Whitewater
(p) 262-472-7792 (f) 262-472-1285
pennb () uww edu | http://www.uww.edu/security 

-----Original Message-----
From: Dick Jacobson [mailto:Dick.Jacobson () NDSU NODAK EDU] 
Sent: Thursday, April 05, 2007 12:32 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Security Assessment

One of our entities is looking for "names of companies and/or
consultants that could provide an overall security assessment -
server, database, etc."

If you have had experience with any (or heard stories of any)  we
would appreciate your input.  You can contact me directly if you
prefer.

Thanks in advance for your help.

-----------------------------------------------------------------------
Dick Jacobson                   e-mail : Dick.Jacobson () ndus NoDak edu
NDUS IT Security Officer        office : IACC 206, NDSU
ND HECN MultiUser Host SysAdd   phone  : 701-231-7385
-----------------------------------------------------------------------