Re: External Consultants

["Sherry, Cathy" <csherry () UMASSP EDU>]

The University of Massachusetts contracted for a general information
security review a few years ago including policy/standards review;
information security organization review, penetration testing, etc. We
used a single vendor and found this helpful due to the
interrelationships between the different "categories" of information
security.  The engagement yielded a comprehensive and very helpful
report.

 

We recently contracted for a security/privacy assessment that was more
network security oriented (e.g., assessment of security related to
routers, switches, VoIP, PBX, SCADA devices, networked
printers/copiers/faxes, etc.) with additional items such as social
engineering, account request processes; wireless configuration review;
patch management process review, incident handling process review;
assessment of information security awareness/training, etc.  This was a
very large RFB.  We again went with one vendor because of the
interrelationship of the environments and out desire to obtain a
cohesive point in time assessment of our security environment.  Some
items were looked at as "a la carte" (e.g., social engineering) but from
the point of view of what the scope of the engagement would be with the
single vendor.

 

If you decide to go with different vendors I suggest you make your RFB
and Statement of Work very specific and require detailed explanations of
methodologies so that you can compare report results and account for any
findings that may have resulted by different vendor approached.

 

 

:: Catherine Sherry, Principal Security Specialist
:: University Information Technology Services (UITS)
:: University of Massachusetts President's Office

:: 508-856-1547
:: 508-856-4844 Fax
:: csherry () umassp edu <mailto:csherry () umassp edu> 

University of Massachusetts : 333 South St. : Suite 400 : Shrewsbury, MA
01545 : www.massachusetts.edu <http://www.massachusetts.edu/> 

 

________________________________

From: Taylor, James R [mailto:JimTaylor () MISSOURISTATE EDU] 
Sent: Thursday, January 31, 2008 2:34 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] External Consultants

 

We will be issuing an RFP for an external consultant to assess our
overall information security.  Since not all consultants will have
expertise in the areas we will specify for review, we are considering a
"modular" approach which would allow them to bid on the areas they want,
a la carte.  Has anyone used this approach?  Also, we would like our
consultant to be listed on the PCI Security Standards Council's
"Qualified Security Assessors" list. 
https://www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf to get a
stringent enough assessment to cover all compliance issues (PCI, HIPAA,
FERPA).  Past posts on this forum have named consultants but only two
(Jefferson Wells and NetSPI) were on the PCI list.  Has anyone had
experience with others on the list?  As you might have guessed, we are
looking for the best bang for the buck.

 

I would like to know if we might be opening a can of worms by possibly
having multiple vendors provide an assessment, and if we are
unnecessarily restricting ourselves to vendors on the "Qualified
Security Assessors" list.

 

Thanks for any help that can be provided.

 

__________________________

Jim Taylor GISP, GCIH, GCFA

Technology Projects Coordinator

Computer Services

Missouri State University

417-836-5226

http://computerservices.missouristate.edu
<http://computerservices.missouristate.edu>