Re: What companies do a good security audit/review

[John Ladwig <John.Ladwig () CSU MNSCU EDU>]

In our system, we've had phenomenal satisfaction levels with a peer-review Information Security Assessment Program 
across our 35 member insitutions.  

We build an assessment team composed of faculty consultants, IT staff consultants, and permanent security staff to work 
a program based on putting business and IT together to talk about sensitive data, where it's located, how it's used, 
and how it's protected.  Eventual outcome is a roadmap of activites campuses should undertake over the next year or 
two, with major activities outlined.  

There's a more than passing resemblance between our assessment instruments and PCI-DSS, although we're not undertaking 
the external scan component at this time.  Meanwhile we're spinning up a comprehensive internal program of 
vulnerability scanning and management.

We're lucky in that we're a big system, and we can organize and fund this approach.  Those with smaller schools might 
want to arrange a swap, along a common framework.  One of the things we don't do in our program is allow staff or 
faculty field assessors to assess their own institutions.  

    -jml

> > > "Bruhn, Mark Steven" <mbruhn () INDIANA EDU> 2008-03-14 09:14 >>>
Depending on what you want, you may also identify a respected colleague from another like-institution, ask that person 
to put a team together, and have a peer review done?  I have said many times that we do not do enough of that, while 
handing a lot of money to companies that walk in with no clue as to higher education culture, environment, and 
operations.
M.

On 3/14/08 8:05 AM, "Mark Berman" <Mark.I.Berman () WILLIAMS EDU> wrote:

Hi all,

I am trying to send out an RFP for a security review/audit here at Williams. I have a couple of consulting companies 
that I've heard good things about whom I will include in the RFP distribution, but I would like a wider selection. The 
two I know about now are Bearhill and Akibia. I've heard through the grapevine that many companies that do this kind of 
work are not doing a very good job due to personnel constraints (too much demand for security experts these days).

SO: Do you know of any vendors that I should include on my list? Any vendors I should specifically NOT include? Any 
negative word on the two companies I already have on my list (negative because what I've heard so far is positive).

Any help will be much appreciated.

 - Mark
--
Mark Berman, Director for Networks & Systems
Williams College, Office for Information Technology
*** Please consider the environment before printing this message