Educause Security Discussion mailing list archives
Re: What companies do a good security audit/review
From: "Bruhn, Mark Steven" <mbruhn () INDIANA EDU>
Date: Fri, 14 Mar 2008 11:44:58 -0400
Amen. Many have told me, and it was true here of a review we had done by a company back in 1998 or so, that they essentially end-up writing much of the report anyway, and accept that the money being paid is more for that objectivity than anything else. A peer review we had done around that same time, led by Gene Spafford and stocked with several others for whom we had a great deal of professional respect, was considerably more valuable. On 3/14/08 10:42 AM, "Bob Bayn" <Bob.Bayn () USU EDU> wrote: Mark Bruhn wrote from Indiana U:
Depending on what you want, you may also identify a respected colleague from another like-institution, ask that person to put a team together, and have a peer review done? I have said many times that we do not do enough of that, while handing a lot of money to companies that walk in with no clue as to higher education culture, environment, and operations.
We recently had a 3 day security audit performed here under the auspices of the State Board of Regents. The audit team was composed of security folks from other Utah schools (and we are invited to participate as the team repeats the circuit of other schools). We learned a lot and got somewhat independent confirmation of the things that we recognize (in IT Security) are in need of more administrative support. In our case, this approach helps to break down the institutional silos, building relationships with our nearby peers who share the same issues, both technical and political. We had a networking audit by a fairly well known consulting group in the past year and I didn't see the level of big-city insight brought to us mountain podunks that I expected. But they did provide the necessary external confirmation to our administration of our needs and deficiencies. Why is it that administrators never trust the views and advice of the people they hire and pay every day; but place great weight in the views of an outsider who drops in, writes a report and then goes away? Bob Bayn IT Security Team coordinator Utah State University Cache Valley, Utah
Current thread:
- What companies do a good security audit/review Mark Berman (Mar 14)
- <Possible follow-ups>
- Re: What companies do a good security audit/review Sealey, Adam L. (Mar 14)
- Re: What companies do a good security audit/review St Clair, Jim (Mar 14)
- Re: What companies do a good security audit/review Bruhn, Mark Steven (Mar 14)
- Re: What companies do a good security audit/review Bob Bayn (Mar 14)
- Re: What companies do a good security audit/review John Ladwig (Mar 14)
- Re: What companies do a good security audit/review Bruhn, Mark Steven (Mar 14)
- Re: What companies do a good security audit/review Darwin Macatiag (Mar 14)
- Re: What companies do a good security audit/review Ced Bennett (Mar 14)
- Re: What companies do a good security audit/review Jim Dillon (Mar 14)
- Re: What companies do a good security audit/review Ozzie Paez (Mar 14)