Re: Security Assessment -- Firms and Costs

[Barron Hulver <Barron.Hulver () OBERLIN EDU>]

Kevin,

We are in the same situation.  We are a small liberal arts college of 
nearly 3,000 students and a small, stretched IT staff that works very 
hard to support all the services.  I have two recommendations:  1) 
perform a series of small engagements instead of a large, thorough 
technical audit and 2) establish a relationship with an external 
security consultant that you trust because that person will have 
experience with other organizations and security best practices.

Since a security assessment had never been performed before I started in 
the summer of 2006, the Director of IT and I decided to engage in a 
series of small assessments instead of a large, comprehensive 
assessment.  Since I already had some experience with security 
assessments through my previous employer, I wrote the scope and reviewed 
it with the Director of IT and other directors as well as my staff.  We 
focused on the network and central servers, leaving the assessment of 
applications and clients for another day.  This worked out well as it it 
minimized the initial cost, introduced to my staff the benefit of 
working with an external security consultant, and kept the amount of 
remediation work manageable.  We have now completed three assessments 
and will be thinking about the fourth in the near future.

The second recommendation will follow by performing a series of small 
engagements.  I already knew a security consultant I trusted before I 
came to Oberlin and we decided to use his services after we talked to a 
couple of other firms that perform security assessments.  The benefit is 
my staff is now comfortable working with him (there is a trust 
relationship) and sometimes I call him for short questions and guidance.

While a security assessment is a point-in-time snapshot, approach it as 
a recurring process.

Barron

Barron Hulver
Director of Networking, Operations, and Systems
Center for Information Technology
Oberlin College
148 West College Street
Oberlin, OH  44074
440-775-8798
http://www2.oberlin.edu/staff/bhulver/






Good morning.

We have a common-enough story: we're a small university (3k students, a 
third of whom live on campus) with an under-staffed IT department. 
We've got the "annoyance" threats contained, and have some data security 
safeguards in place to help keep us off the front page of our local 
newspaper, but we've never done a large, thorough technical audit.

Some research has revealed assessment firms and rough pricing.  Some in 
our administration, however, seem surprised/appalled that it would cost 
this much.

So I'm looking for a little more evidence that, yes, it does cost this much.

I was hoping that folks might be willing to share in brief their 
experiences with this, something like, "We've got 5k students, we used 
this firm, and it cost about $x at the end of the day."  We're looking 
for pretty complete internal/external vulnerability/penetration testing, 
a review of our policies, and a focus on about five applications.  The 
chief goal is to prevent an episode where student/employee data is 
compromised.

I understand student numbers is not the best unit of comparison (as 
opposed to IP addresses, etc.), but I'm just looking for rough figures.

Thanks!

Kevin Casey
Husson University