Security engineering services business practices & models

[everette.denney () gmail com]

     I'm working on developing a business model for security engineering services. Does anyone have a reference link or 
two on how to setup proven processes around that? I'm interested on how (from a business perspective) one goes about 
discovery, assessment, design, remediation, etc. and which parts should be part of a pre-sales focus and which parts 
should be billable, etc. What is the industry "best practice" for this? 
   Thanks in advance for any replies.