Re: Security Assessment

[Robert Henry <rhenry () SCU EDU>]

All, SCU conducted a 3rd party security assessment in May and June of
2015.  My answers to Robert's questions are below:

1.Who was the company?

Enclave Security, James Tarala was the assessor

2. What was the scope? Did it cover; (Security Organization, Executive
Support, Policies and Procedures, Security Awareness Programs, Tools sets
(Defense in Depth), Enforcement)?

The assessment was based on the CIS 20 Critical controls.  The final report
was a prioritized list of administrative and technical controls describing
specific steps to improve our security posture.  James Tarala was very good
about noting that addressing issues in all 20 domains at once would not be
successful and recommended a recursive process for improvement (which is
echoed throughout the 20 Critical Controls

3. Did it also include a PCI assessment?

No, we hired Trustwave to conduct a PCI assessment one year earlier (it is
probably time for another one).

4. How long was the engagement?

One month of information gathering (done remotely).  Four weeks to draft
the report.  We had input on every draft of the report.

5. Would you use the same company again?

Yes.  We had a very positive experience.

6. Was the company responsive with any rebuttals?

Very responsive while preparing the report.  Also provided support an
helped answer question when we presented the report to SCU execs and Board.

Let me know if you have any questions.

Bob


--
Robert Henry, CISSP
Chief Information Security Officer
Santa Clara University
rhenry () scu edu
408-554-5554
http://www.scu.edu/is/secure

NEVER e-mail your user name or password to anyone.  ​IS staff will NEVER
ask you for your password or login information by e-mail.  Please contact
the Technology Help Desk at (408) 554-5700 if you have concerns or
questions.



On Wed, Mar 16, 2016 at 1:06 PM, Jasek, Robert E. <robert.jasek () trincoll edu
> wrote:

> Greetings,
>
> I was wondering who has had a recent third party IT security risk
> assessment performed and if you would be willing to share some
> information.
>
>
> 1.Who was the company?
>
> 2. What was the scope? Did it cover; (Security Organization, Executive
> Support, Policies and Procedures, Security Awareness Programs, Tools sets
> (Defense in Depth), Enforcement)?
>
> 3. Did it also include a PCI assessment?
>
> 4. How long was the engagement?
>
> 5. Would you use the same company again?
>
> 6. Was the company responsive with any rebuttals?
>
> I would be happy to take this offline if that is helpful.
>
> Thank you,
>
> Robert