Educause Security Discussion mailing list archives
Re: What companies do a good security audit/review
From: Jim Dillon <Jim.Dillon () COLORADO EDU>
Date: Fri, 14 Mar 2008 11:01:11 -0600
Mark, There are quite a number of companies that CAN do a good job, and sometimes do, but even for most of these it often depends on whether you get the A team or not. I've had great results and terrible results from the same company. It may be to your advantage to find someone more local with good recommendations from folks you trust. Given the scale of the project, sometimes the security and audit organizations rolled out from the "final" or big 4 accounting firms can be really good, other times, just a waste of money. Names and experience may be most useful to you. Without that, I recommend you pay attention to the product/presentation they offer. If it is a list of do's rather than a good risk analysis/threat v.s. objectives approach, I prefer the folks astute enough to realize one size doesn't fit all. Ask for sample reports and see whether they are simply directives based on tests, or whether they present vulnerabilities and restate your objectives. I've had great luck with Symantec (Web application security review), especially if you get some of the folks that came over from @stake in that acquisition, but they are pricey, and like any big firm you can get the "bait and switch" effect of bringing in the A star for the sell and then sending in junior for the job. A risk with any of the big firms. Ciber and Coalfire Systems are two companies that can do a reasonable job, but I've also seen them blow it on occasion. I've been pleased with some aspects of their work, and frustrated with others. If you want real auditors, not primarily security considerations, Jefferson Wells can do OK on occasion, but it is very dependent on the personnel - make sure to get names and recommendations in these cases. Off a cold call with a low potential for massive amounts of future attention, many bigger firms will send you the B Team. I'd also be careful about firms that do an analysis but do that as a front to an internal product they like to sell. There's a bit of a conflict there that can taint the results with a hard sell. This is more common in the big firms from my experience. Best wishes. I've run across hundreds of organizations that do this - so focus on the personnel brought to the table and the product they deliver more than the firm if you can't get good local specific recommendations. I wouldn't take the organizations I've mentioned as endorsements, they are just some players in the field. My main point is to consider the output/product they'll give you and the personnel they bring to the table. Any number of once good firms can really foul it up too. Best regards, Jim -----------University of Colorado-------------- Jim Dillon, CISA, CISSP Program Manager Administrative Systems and Data Services jim.dillon () colorado edu 303-735-5682 -------------------Boulder------------------------ From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mark Berman Sent: Friday, March 14, 2008 6:06 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] What companies do a good security audit/review Hi all, I am trying to send out an RFP for a security review/audit here at Williams. I have a couple of consulting companies that I've heard good things about whom I will include in the RFP distribution, but I would like a wider selection. The two I know about now are Bearhill and Akibia. I've heard through the grapevine that many companies that do this kind of work are not doing a very good job due to personnel constraints (too much demand for security experts these days). SO: Do you know of any vendors that I should include on my list? Any vendors I should specifically NOT include? Any negative word on the two companies I already have on my list (negative because what I've heard so far is positive). Any help will be much appreciated. - Mark -- Mark Berman, Director for Networks & Systems Williams College, Office for Information Technology *** Please consider the environment before printing this message
Current thread:
- What companies do a good security audit/review Mark Berman (Mar 14)
- <Possible follow-ups>
- Re: What companies do a good security audit/review Sealey, Adam L. (Mar 14)
- Re: What companies do a good security audit/review St Clair, Jim (Mar 14)
- Re: What companies do a good security audit/review Bruhn, Mark Steven (Mar 14)
- Re: What companies do a good security audit/review Bob Bayn (Mar 14)
- Re: What companies do a good security audit/review John Ladwig (Mar 14)
- Re: What companies do a good security audit/review Bruhn, Mark Steven (Mar 14)
- Re: What companies do a good security audit/review Darwin Macatiag (Mar 14)
- Re: What companies do a good security audit/review Ced Bennett (Mar 14)
- Re: What companies do a good security audit/review Jim Dillon (Mar 14)
- Re: What companies do a good security audit/review Ozzie Paez (Mar 14)