Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: External Consultants

From: Doug Markiewicz <dmarkiew+educause () ANDREW CMU EDU>
Date: Thu, 31 Jan 2008 15:13:58 -0500
Having different organizations conduct different portions of the assessment will likely cost you a lot more money.  A 
lot of efficiencies are gained in the information gathering stage if one company is doing all the work.  Separating 
them could also be a nuisance for your support staff given that there will be overlap and they may be answering the 
same questions more than once.

With respect to PCI, not sure if you'd be opening yourself up to any unnecessary liability by having a QSA conduct the audit.  I 
believe they are required to retain results and provide them to the council if requested (Section 4.6.1 of the QSA Validation 
Requirements).  I may be misreading the requirements though.  Also being a QSA doesn't necessarily mean you're qualified to 
do other types of assessments (e.g. HIPAA, FERPA, etc.).  A consultant that is not a QSA could still conduct a gap analysis for you 
since PCI audit procedures are publicly available.

Hope that helps.


Taylor, James R wrote:
We will be issuing an RFP for an external consultant to assess our overall information security. Since not all consultants will have expertise in the areas we will specify for review, we are considering a “modular” approach which would allow them to bid on the areas they want, a la carte. Has anyone used this approach? Also, we would like our consultant to be listed on the PCI Security Standards Council’s “Qualified Security Assessors” list. https://www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf to get a stringent enough assessment to cover all compliance issues (PCI, HIPAA, FERPA). Past posts on this forum have named consultants but only two (Jefferson Wells and NetSPI) were on the PCI list. Has anyone had experience with others on the list? As you might have guessed, we are looking for the best bang for the buck.
I would like to know if we might be opening a can of worms by possibly having multiple vendors provide an assessment, and if we are unnecessarily restricting ourselves to vendors on the “Qualified Security Assessors” list. 


Thanks for any help that can be provided.


__________________________

*/Jim Taylor /*GISP, GCIH, GCFA*//*

/Technology Projects Coordinator/

/Computer Services/

/Missouri State University/

/417-836-5226/

/http://computerservices.missouristate.edu/
Previous By Date Next
Previous By Thread Next

Current thread: