Re: Vulnerability and Data Loss Protection Scanning

[Kevin Reedy <KReedy () EXCELSIOR EDU>]

Hi Scott,

We have been using Leidos and are happy with the service they provide.  For
better or worse they usually don't tell me anything I don't know, but it
gives me a list of documented findings that has become a useful tool in
remediation.  In a way being the middle man makes me less of the bad guy,
and I like that.

There are a million way to skin this cat from a technology perspective, for
the most part budget and manpower being the biggest obstacles.

It might be fun for you to run Nessus or Spin up a Kali Linux box to see
what it tells you beforehand.  If you have a patching issues with
workstations for example and can fix that easily before they come on site
it may let them focus on other things, instead of producing 100 pages of
machines all missing the same patches.

You also will want to have a clear idea of why you are doing this.  FERPA?
PCI?  Maybe HIPAA?  Maybe you use the CoCS 20 internally already and want
to benchmark against that?  Of course the vendor will walk you through all
this and many other items, but it's nice to be prepared for the
conversation a little bit.  A good vendor should ask you what you want from
them, and if you can't really tell them they will help you get there by
asking the right questions.  Based on the question and your title I am
guessing that you don't have a huge security team at your disposal, so this
could become a very useful annual process.

This is one of the areas that every organization handles differently based
on size, need, etc, I'm looking forward to seeing the other responses from
a process perspective and other governance angles as well.

-Kevin



From:   Scott Voelker <svoelker () LBCC EDU>
To:     SECURITY () LISTSERV EDUCAUSE EDU,
Date:   03/16/2016 12:14 PM
Subject:        [SECURITY] Vulnerability and Data Loss Protection Scanning
Sent by:        The EDUCAUSE Security Constituent Group Listserv
            <SECURITY () LISTSERV EDUCAUSE EDU>



All,

I am fairly new to this listserv, and apologize if the following question
has already been answered.

We at Long Beach City College are looking for a company that can provide a
security assessment of our internal network and public facing servers. We
will be looking for both vulnerability and data loss protection scanning.

What vendors have you used, and were you happy with them? If you would do
anything differently, what would that be? Do you have any further
suggestions for us as we move forward?

With regard to public facing servers, I am aware that the CCC Security
Center provides a Vulnerability Assessment Scan service. Has anyone used
this service, and if so, would you suggest we look into it?

Thank you very much for your time,

Scott Voelker
User Support & Web Development, Deputy Director
Long Beach City College
4901 E. Carson Street
Long Beach, CA 90808
562.938.4007
svoelker () lbcc edu



This message and any attachments contain confidential Excelsior College information intended for the specific 
individual and purpose. If you are not the intended recipient, you should notify the College and delete this message. 
Any disclosure, copying, distribution or inappropriate use of this message is strictly prohibited.