Re: 3rd Party conducted Risk Assessment

["Hudson, Edward" <ewhudson () CSUCHICO EDU>]

As a former vendor I can say I think this isn't just a good idea, it's a "must do" in order to differentiate between 
those who say they can, and those who can really deliver what you ask for. No one better than current customers to 
separate the wheat from the chaff. No vendor worth their salt should hesitate a moment in providing you references 
aligned with your particular needs. I.E. risk assessment in higher edu. Don't settle for a reference from another 
industry.
<my .02>

Ed Hudson, CISM
Information Security Office 
California State University, Chico 
www.csuchico.edu/ires/security 
Office: (530) 898-6307
Cell: 707-799-3250
ewhudson () csuchico edu
 

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Myers, 
Julie
Sent: Monday, August 17, 2009 11:23 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] 3rd Party conducted Risk Assessment

We have been considering engaging a consultant to conduct a University
wide Risk Assessment.  We are currently the process of collecting
reference from these vendors.  I was wondering if any of you have gone
down this path and your perception on the value add of doing so.  

Thank you, 

Julie Myers 
Chief Information Security Officer 
University of  Rochester - University IT
julie.myers () rochester edu  
p: 585.273.1804  c: 585.208.0939  
P Think twice before you print

 CONFIDENTIALITY: This email (including any attachments) may contain
confidential, proprietary and privileged information, and unauthorized
disclosure or use is prohibited. If you received this email in error,
please notify the sender and delete this email from your system. Thank
you.