Re: What companies do a good security audit/review

[Ozzie Paez <ozpaez () SPRYNET COM>]

Mark,
There are two issues to consider: The RFP and the consulting company.  Of
the two, the RFP is often the most important because it allows you to match
your specific needs to the consulting company's capabilities.  I have been
on a variety of teams that had little guidance and, under those conditions,
the security consultants reverted back to what they knew and liked to do.
For example, a security company that knows all about firewalls and their
associated rule sets may not be the best choice to examine data flows to
ensure that data regulated under a variety of privacy laws are not leaking
out of your organization or into your organization.  Companies that are very
good at defining/auditing organizational policies, procedures and contracts
to ensure compliance with the ever growing number of laws and regulations
may not have the full skill set to translate them into solutions, audit
their implementation, etc.  Just make sure that you know precisely what you
want, why you want it and what regulations (and there are always multiple of
these) apply.  Make sure that you include all appropriate NDA statements and
controls in the RFP.  For example, you may require that all consultants have
received appropriate background checks so that a hacker or criminal with a
history is not brought in as one of your 'security consultants', etc.  Now,
once you have an RFP that covers what you want and what you expect to
receive, you can then move forward and identify candidate companies to carry
out the work.  From experience, I can tell you that many audits have so many
holes in them that they are basically very expensive placebos.  When that
happens, it is usually because the RFP was not sufficiently detailed and the
company or companies doing the work essentially packaged a deliverable that
they could do within budget.  If you can give me a bit more information on
what kind of audit you are looking for, I should be able to point you to
multiple sources with a good reputation.  Let me know,

Ozzie Paez
SSE/CISSP
SAIC
303-332-5363

  -----Original Message-----
  From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU]On Behalf Of Mark Berman
  Sent: Friday, March 14, 2008 5:06 AM
  To: SECURITY () LISTSERV EDUCAUSE EDU
  Subject: [SECURITY] What companies do a good security audit/review


  Hi all,



  I am trying to send out an RFP for a security review/audit here at
Williams. I have a couple of consulting companies that I've heard good
things about whom I will include in the RFP distribution, but I would like a
wider selection. The two I know about now are Bearhill and Akibia. I've
heard through the grapevine that many companies that do this kind of work
are not doing a very good job due to personnel constraints (too much demand
for security experts these days).



  SO: Do you know of any vendors that I should include on my list? Any
vendors I should specifically NOT include? Any negative word on the two
companies I already have on my list (negative because what I've heard so far
is positive).



  Any help will be much appreciated.



   - Mark

  --

  Mark Berman, Director for Networks & Systems

  Williams College, Office for Information Technology

  *** Please consider the environment before printing this message