Educause Security Discussion mailing list archives
Security Audit -- Application Layer
From: Kevin Casey <CaseyK () HUSSON EDU>
Date: Wed, 26 Jan 2011 07:47:21 -0500
In organizing a security audit RFP, it seems that any granular look at our ERP systems (i.e., looking at the security of each "page," instead of just the box upon which these apps live) would take the cost of this audit from "somewhat challenging to sell to our Cabinet" to "you've got to be kidding me." Just looking for a reality check: is an audit that doesn't look this deeply at the application layer only half an audit (or less), and is this element as expensive as I fear, or have I not spoken with enough firms? I would expect responses (hopefully) somewhere between, "Yes, you really need to do this and spend the money, or tell upper management that the job's only half done," and "While it would be nice, it is wicked expensive, so it's rare to go that deep; risks will remain if you don' t do this, but these should be minimal if you adequately mitigate issues at the other layers, and in other areas." Thanks for your time and opinons, Kevin __________________________________________ Kevin Casey Executive Director Information Resources Phone: (207) 941-7123 Fax: (207) 941-7988 caseyk () husson edu <mailto:caseyk () husson edu> Husson University www.husson.edu <http://www.husson.edu/>
Current thread:
- Fortinet WAF? Jason C. Belford (Jan 21)
- Security Audit -- Application Layer Kevin Casey (Jan 26)
- Re: Security Audit -- Application Layer Jones, Dan (Jan 26)
- Security Audit -- Application Layer Kevin Casey (Jan 26)