Educause Security Discussion mailing list archives
Re: External Consultants
From: "Sherry, Cathy" <csherry () UMASSP EDU>
Date: Thu, 31 Jan 2008 15:05:56 -0500
The University of Massachusetts contracted for a general information security review a few years ago including policy/standards review; information security organization review, penetration testing, etc. We used a single vendor and found this helpful due to the interrelationships between the different "categories" of information security. The engagement yielded a comprehensive and very helpful report. We recently contracted for a security/privacy assessment that was more network security oriented (e.g., assessment of security related to routers, switches, VoIP, PBX, SCADA devices, networked printers/copiers/faxes, etc.) with additional items such as social engineering, account request processes; wireless configuration review; patch management process review, incident handling process review; assessment of information security awareness/training, etc. This was a very large RFB. We again went with one vendor because of the interrelationship of the environments and out desire to obtain a cohesive point in time assessment of our security environment. Some items were looked at as "a la carte" (e.g., social engineering) but from the point of view of what the scope of the engagement would be with the single vendor. If you decide to go with different vendors I suggest you make your RFB and Statement of Work very specific and require detailed explanations of methodologies so that you can compare report results and account for any findings that may have resulted by different vendor approached. :: Catherine Sherry, Principal Security Specialist :: University Information Technology Services (UITS) :: University of Massachusetts President's Office :: 508-856-1547 :: 508-856-4844 Fax :: csherry () umassp edu <mailto:csherry () umassp edu> University of Massachusetts : 333 South St. : Suite 400 : Shrewsbury, MA 01545 : www.massachusetts.edu <http://www.massachusetts.edu/> ________________________________ From: Taylor, James R [mailto:JimTaylor () MISSOURISTATE EDU] Sent: Thursday, January 31, 2008 2:34 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] External Consultants We will be issuing an RFP for an external consultant to assess our overall information security. Since not all consultants will have expertise in the areas we will specify for review, we are considering a "modular" approach which would allow them to bid on the areas they want, a la carte. Has anyone used this approach? Also, we would like our consultant to be listed on the PCI Security Standards Council's "Qualified Security Assessors" list. https://www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf to get a stringent enough assessment to cover all compliance issues (PCI, HIPAA, FERPA). Past posts on this forum have named consultants but only two (Jefferson Wells and NetSPI) were on the PCI list. Has anyone had experience with others on the list? As you might have guessed, we are looking for the best bang for the buck. I would like to know if we might be opening a can of worms by possibly having multiple vendors provide an assessment, and if we are unnecessarily restricting ourselves to vendors on the "Qualified Security Assessors" list. Thanks for any help that can be provided. __________________________ Jim Taylor GISP, GCIH, GCFA Technology Projects Coordinator Computer Services Missouri State University 417-836-5226 http://computerservices.missouristate.edu <http://computerservices.missouristate.edu>
Current thread:
- External Consultants Taylor, James R (Jan 31)
- <Possible follow-ups>
- Re: External Consultants Willis Marti (Jan 31)
- Re: External Consultants Sherry, Cathy (Jan 31)
- Re: External Consultants Doug Markiewicz (Jan 31)