Re: Security Audit Vendors/Cost Estimates

[Ken Shaurette <kmshaurette () MPCCORP COM>]

Mike, if you would like to contact me off list I’d like to talk to you in more detail about your needs and estimates 
for the kind of work you need.  

 

As was noted by Chris at Lansing, the key is being able to adequately scope your needs.  The kinds of things that 
increase a vendors cost the greatest are estimating for the unknown factors.  Efforts that take a significant amount of 
effort such as blind penetration assessments, application vulnerability assessment, and social engineering or database 
vulnerability assessments tend to increase cost the quickest.  The other time consuming component is interviewing 
members of your team as well as others at the college or university to establish the “tone at the top”, essentially the 
people aspects of policies, work practices and security program.  Wireless can increase the effort if it is necessary 
to travel between several locations, especially if there is distance to be covered in order to assess access points and 
wireless vulnerability.  You can see a very broad range of cost depending on the scope.   For example you may have 
10,000 workstations, but they are all imaged alike, it does not make a lot of sense from a cost standpoint to scan 
every device, especially if you have the images locked down.  You may however want to do semi-random sampling 
especially targeting specific departments.  This can result in a lot less IP addresses to be scanned and can save you 
dollars.  A “pure” technical vulnerability assessment using various scanning tools I’ve seen for much less than $50k, 
but it depends on your scope.

Ken 

Ken M. Shaurette, CISSP, CISA, CISM 
MPC Solutions (a division of MPC, LLC), HYPERLINK "http://www.mpcscorp.com/"www.mpcscorp.com 

kmshaurette () mpccorp com
(262) 523-3300 x60486 
------------------------------------------------------------ 

National Security Awareness Day - October is CyberSecurity Month - Awareness does not end when the day is done!! 
------------------------------------------------------------ 

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mike 
Pasquerette
Sent: Thursday, March 24, 2005 10:17 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Security Audit Vendors/Cost Estimates

 

We have recently upgraded our network switches and added wireless access points in our dorms to control user's access 
to the network right at the edge. We are evaluating Enterasys N3 switches and RoamAbout Access Points with their Policy 
Manager and Dragon IDS for our ResNet. So far we are very pleased with the results, however we would now like to have a 
3rd party come in an perform an onsite security audit to determine how well our vendor and network admins have things 
locked down. We want to verify security restrictions for both wired and wireless access from our resident portion of 
the network to the rest of our network. Does anyone know any vendors in the DC metro area who offer this kind of 
service and might have experience with a college or university?

For those who have done a similar activity in the last year, what should we expect a vendor to charge for such an 
audit? Thanks in advance for any advice and comments on your experience.

 

Mike Pasquerette

Network Analyst

Hood College

 

********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found 
at http://www.educause.edu/groups/. 


--
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.8.0 - Release Date: 3/21/2005



-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.8.0 - Release Date: 3/21/2005
 

Disclaimer: 24/3/2005

MPC Computers is providing the following information in compliance with federal regulations:
 
MPC Computers, LLC
906 E. Karcher Road
Nampa, Idaho 83687
1-888-224-4247
http://www.mpccorp.com

To discontinue receiving e-mail communications from MPC in the future, please go to: 
http://www.mpccorp.com/email/manage.html and follow the instructions.




**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.