Educause Security Discussion mailing list archives
Re: Security Assessment
From: James Moore <jhmiso () RIT EDU>
Date: Thu, 5 Apr 2007 14:34:21 -0400
I am a fan of Security Horizon out of Colorado Springs. They understand the technical as well as the non-technical elements of assessments (which is what we had them do, since we had a security posture assessment that measures how the message at the top is translating into the technical security further down.) The thing that I really liked about them is that they could communicate no matter what level they were addressing. When they were doing the on-campus technical assessments, they had the systems administrators sit with them as they did the assessment. The systems administrators said that the assessment was worth it, no matter what the other outcomes were. It is not surprising, they participated in the development of the Infosec Assessment Methodology (IAM), and were the first ones to teach it. Ditto for the Infosec Evaluation Methodology (IEM). The benefits of their ability to communicate were a significant strength. They also deliver on time. They estimated 4 weeks (time to roll-up results, and to do the external test), and write the report, and they came in with a draft at 3 1/2 weeks. For a more detailed description of the benefits of a security posture assessment, I have a write-up on the Educause site. We also followed the posture assessment with a technical risk assessment that was done by Symantec, which was very aggressively priced. Security Horizon did respond to the RFP, but Symantec demonstrated depth in some very specific mainframe applications, and therefore got that contract. It was harder for me to gauge their communication capabilities, as the evaluation was in some specific sections of RIT, and I didn't participate in any of the sessions (I was giving people some space, since they were taking the initiative to gain an objective evaluation). Their report was very good. I recommend either Symantec or Security Horizon. My 2 cents. Jim - - - Jim Moore, CISSP, IAM Information Security Officer Rochester Institute of Technology -----Original Message----- From: Penn, Blake [mailto:pennb () UWW EDU] Sent: Thursday, April 05, 2007 2:13 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Security Assessment Jefferson Wells is one of the few national firms that do this type of work at reasonable prices. They hire sharp and experienced people (I know several of them personally and can attest to their skills) but don't overcharge like the Big 4-type firms. And they don't even pay me to say this! ___________________________________________ Blake Penn, CISSP Information Security Officer University of Wisconsin-Whitewater (p) 262-472-7792 (f) 262-472-1285 pennb () uww edu | http://www.uww.edu/security -----Original Message----- From: Dick Jacobson [mailto:Dick.Jacobson () NDSU NODAK EDU] Sent: Thursday, April 05, 2007 12:32 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Security Assessment One of our entities is looking for "names of companies and/or consultants that could provide an overall security assessment - server, database, etc." If you have had experience with any (or heard stories of any) we would appreciate your input. You can contact me directly if you prefer. Thanks in advance for your help. ----------------------------------------------------------------------- Dick Jacobson e-mail : Dick.Jacobson () ndus NoDak edu NDUS IT Security Officer office : IACC 206, NDSU ND HECN MultiUser Host SysAdd phone : 701-231-7385 -----------------------------------------------------------------------
Current thread:
- Security Assessment Dick Jacobson (Apr 05)
- <Possible follow-ups>
- Re: Security Assessment Penn, Blake (Apr 05)
- Re: Security Assessment James Moore (Apr 05)
- Re: Security Assessment Jim Schug (Apr 05)
- Re: Security Assessment Joel Rosenblatt (Apr 05)
- Re: Security Assessment John Hoffoss (Apr 06)