Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

External Consultants

From: "Taylor, James R" <JimTaylor () MISSOURISTATE EDU>
Date: Thu, 31 Jan 2008 13:33:41 -0600
We will be issuing an RFP for an external consultant to assess our
overall information security.  Since not all consultants will have
expertise in the areas we will specify for review, we are considering a
"modular" approach which would allow them to bid on the areas they want,
a la carte.  Has anyone used this approach?  Also, we would like our
consultant to be listed on the PCI Security Standards Council's
"Qualified Security Assessors" list.
https://www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf to get a
stringent enough assessment to cover all compliance issues (PCI, HIPAA,
FERPA).  Past posts on this forum have named consultants but only two
(Jefferson Wells and NetSPI) were on the PCI list.  Has anyone had
experience with others on the list?  As you might have guessed, we are
looking for the best bang for the buck.

 

I would like to know if we might be opening a can of worms by possibly
having multiple vendors provide an assessment, and if we are
unnecessarily restricting ourselves to vendors on the "Qualified
Security Assessors" list.

 

Thanks for any help that can be provided.

 

__________________________

Jim Taylor GISP, GCIH, GCFA

Technology Projects Coordinator

Computer Services

Missouri State University

417-836-5226

http://computerservices.missouristate.edu
<http://computerservices.missouristate.edu>
Previous By Date Next
Previous By Thread Next

Current thread: