Educause Security Discussion mailing list archives
Re: What companies do a good security audit/review
From: John Ladwig <John.Ladwig () CSU MNSCU EDU>
Date: Fri, 14 Mar 2008 10:43:57 -0500
In our system, we've had phenomenal satisfaction levels with a peer-review Information Security Assessment Program across our 35 member insitutions. We build an assessment team composed of faculty consultants, IT staff consultants, and permanent security staff to work a program based on putting business and IT together to talk about sensitive data, where it's located, how it's used, and how it's protected. Eventual outcome is a roadmap of activites campuses should undertake over the next year or two, with major activities outlined. There's a more than passing resemblance between our assessment instruments and PCI-DSS, although we're not undertaking the external scan component at this time. Meanwhile we're spinning up a comprehensive internal program of vulnerability scanning and management. We're lucky in that we're a big system, and we can organize and fund this approach. Those with smaller schools might want to arrange a swap, along a common framework. One of the things we don't do in our program is allow staff or faculty field assessors to assess their own institutions. -jml
"Bruhn, Mark Steven" <mbruhn () INDIANA EDU> 2008-03-14 09:14 >>>
Depending on what you want, you may also identify a respected colleague from another like-institution, ask that person to put a team together, and have a peer review done? I have said many times that we do not do enough of that, while handing a lot of money to companies that walk in with no clue as to higher education culture, environment, and operations. M. On 3/14/08 8:05 AM, "Mark Berman" <Mark.I.Berman () WILLIAMS EDU> wrote: Hi all, I am trying to send out an RFP for a security review/audit here at Williams. I have a couple of consulting companies that I've heard good things about whom I will include in the RFP distribution, but I would like a wider selection. The two I know about now are Bearhill and Akibia. I've heard through the grapevine that many companies that do this kind of work are not doing a very good job due to personnel constraints (too much demand for security experts these days). SO: Do you know of any vendors that I should include on my list? Any vendors I should specifically NOT include? Any negative word on the two companies I already have on my list (negative because what I've heard so far is positive). Any help will be much appreciated. - Mark -- Mark Berman, Director for Networks & Systems Williams College, Office for Information Technology *** Please consider the environment before printing this message
Current thread:
- What companies do a good security audit/review Mark Berman (Mar 14)
- <Possible follow-ups>
- Re: What companies do a good security audit/review Sealey, Adam L. (Mar 14)
- Re: What companies do a good security audit/review St Clair, Jim (Mar 14)
- Re: What companies do a good security audit/review Bruhn, Mark Steven (Mar 14)
- Re: What companies do a good security audit/review Bob Bayn (Mar 14)
- Re: What companies do a good security audit/review John Ladwig (Mar 14)
- Re: What companies do a good security audit/review Bruhn, Mark Steven (Mar 14)
- Re: What companies do a good security audit/review Darwin Macatiag (Mar 14)
- Re: What companies do a good security audit/review Ced Bennett (Mar 14)
- Re: What companies do a good security audit/review Jim Dillon (Mar 14)
- Re: What companies do a good security audit/review Ozzie Paez (Mar 14)