Educause Security Discussion mailing list archives
Re: Security Audit Vendors/Cost Estimates
From: Ken Shaurette <kmshaurette () MPCCORP COM>
Date: Thu, 24 Mar 2005 16:50:25 -0700
Mike, if you would like to contact me off list I’d like to talk to you in more detail about your needs and estimates for the kind of work you need. As was noted by Chris at Lansing, the key is being able to adequately scope your needs. The kinds of things that increase a vendors cost the greatest are estimating for the unknown factors. Efforts that take a significant amount of effort such as blind penetration assessments, application vulnerability assessment, and social engineering or database vulnerability assessments tend to increase cost the quickest. The other time consuming component is interviewing members of your team as well as others at the college or university to establish the “tone at the top”, essentially the people aspects of policies, work practices and security program. Wireless can increase the effort if it is necessary to travel between several locations, especially if there is distance to be covered in order to assess access points and wireless vulnerability. You can see a very broad range of cost depending on the scope. For example you may have 10,000 workstations, but they are all imaged alike, it does not make a lot of sense from a cost standpoint to scan every device, especially if you have the images locked down. You may however want to do semi-random sampling especially targeting specific departments. This can result in a lot less IP addresses to be scanned and can save you dollars. A “pure” technical vulnerability assessment using various scanning tools I’ve seen for much less than $50k, but it depends on your scope. Ken Ken M. Shaurette, CISSP, CISA, CISM MPC Solutions (a division of MPC, LLC), HYPERLINK "http://www.mpcscorp.com/"www.mpcscorp.com kmshaurette () mpccorp com (262) 523-3300 x60486 ------------------------------------------------------------ National Security Awareness Day - October is CyberSecurity Month - Awareness does not end when the day is done!! ------------------------------------------------------------ -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mike Pasquerette Sent: Thursday, March 24, 2005 10:17 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Security Audit Vendors/Cost Estimates We have recently upgraded our network switches and added wireless access points in our dorms to control user's access to the network right at the edge. We are evaluating Enterasys N3 switches and RoamAbout Access Points with their Policy Manager and Dragon IDS for our ResNet. So far we are very pleased with the results, however we would now like to have a 3rd party come in an perform an onsite security audit to determine how well our vendor and network admins have things locked down. We want to verify security restrictions for both wired and wireless access from our resident portion of the network to the rest of our network. Does anyone know any vendors in the DC metro area who offer this kind of service and might have experience with a college or university? For those who have done a similar activity in the last year, what should we expect a vendor to charge for such an audit? Thanks in advance for any advice and comments on your experience. Mike Pasquerette Network Analyst Hood College ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.8.0 - Release Date: 3/21/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.8.0 - Release Date: 3/21/2005 Disclaimer: 24/3/2005 MPC Computers is providing the following information in compliance with federal regulations: MPC Computers, LLC 906 E. Karcher Road Nampa, Idaho 83687 1-888-224-4247 http://www.mpccorp.com To discontinue receiving e-mail communications from MPC in the future, please go to: http://www.mpccorp.com/email/manage.html and follow the instructions. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Security Audit Vendors/Cost Estimates Mike Pasquerette (Mar 24)
- <Possible follow-ups>
- Re: Security Audit Vendors/Cost Estimates Manuel Amaral (Mar 24)
- Re: Security Audit Vendors/Cost Estimates Chris Bennett (Mar 24)
- Re: Security Audit Vendors/Cost Estimates Ken Shaurette (Mar 24)