Re: What companies do a good security audit/review

[Jim Dillon <Jim.Dillon () COLORADO EDU>]

Mark,

 

There are quite a number of companies that CAN do a good job, and
sometimes do, but even for most of these it often depends on whether you
get the A team or not.  I've had great results and terrible results from
the same company.  It may be to your advantage to find someone more
local with good recommendations from folks you trust.  Given the scale
of the project, sometimes the security and audit organizations rolled
out from the "final" or big 4 accounting firms can be really good, other
times, just a waste of money.  Names and experience may be most useful
to you.  Without that, I recommend you pay attention to the
product/presentation they offer.  If it is a list of do's rather than a
good risk analysis/threat v.s. objectives approach, I prefer the folks
astute enough to realize one size doesn't fit all.  Ask for sample
reports and see whether they are simply directives based on tests, or
whether they present vulnerabilities and restate your objectives.

 

I've had great luck with Symantec (Web application security review),
especially if you get some of the folks that came over from @stake in
that acquisition, but they are pricey, and like any big firm you can get
the "bait and switch" effect of bringing in the A star for the sell and
then sending in junior for the job.  A risk with any of the big firms.

 

Ciber and Coalfire Systems are two companies that can do a reasonable
job, but I've also seen them blow it on occasion.  I've been pleased
with some aspects of their work, and frustrated with others.

 

If you want real auditors, not primarily security considerations,
Jefferson Wells can do OK on occasion, but it is very dependent on the
personnel - make sure to get names and recommendations in these cases.
Off a cold call with a low potential for massive amounts of future
attention, many bigger firms will send you the B Team.

 

I'd also be careful about firms that do an analysis but do that as a
front to an internal product they like to sell.  There's a bit of a
conflict there that can taint the results with a hard sell.  This is
more common in the big firms from my experience.

 

Best wishes.  I've run across hundreds of organizations that do this -
so focus on the personnel brought to the table and the product they
deliver more than the firm if you can't get good local specific
recommendations.  I wouldn't take the organizations I've mentioned as
endorsements, they are just some players in the field.  My main point is
to consider the output/product they'll give you and the personnel they
bring to the table.  Any number of once good firms can really foul it up
too.

 

Best regards,

 

Jim

 

-----------University of Colorado--------------

Jim Dillon, CISA, CISSP

Program Manager

Administrative Systems and Data Services

jim.dillon () colorado edu        303-735-5682

-------------------Boulder------------------------

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mark Berman
Sent: Friday, March 14, 2008 6:06 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] What companies do a good security audit/review

 

Hi all,

 

I am trying to send out an RFP for a security review/audit here at
Williams. I have a couple of consulting companies that I've heard good
things about whom I will include in the RFP distribution, but I would
like a wider selection. The two I know about now are Bearhill and
Akibia. I've heard through the grapevine that many companies that do
this kind of work are not doing a very good job due to personnel
constraints (too much demand for security experts these days). 

 

SO: Do you know of any vendors that I should include on my list? Any
vendors I should specifically NOT include? Any negative word on the two
companies I already have on my list (negative because what I've heard so
far is positive).

 

Any help will be much appreciated.

 

 - Mark

--

Mark Berman, Director for Networks & Systems

Williams College, Office for Information Technology

*** Please consider the environment before printing this message