Educause Security Discussion mailing list archives
Procedure for carrying out security assessment/audit of systems
From: Paul Kennedy <paul.kennedy () UCD IE>
Date: Thu, 31 Oct 2019 13:42:33 +0000
Hello Everyone, Perhaps this has been covered before, but if not, I am wondering if you have any policies, procedures, guidelines or advice on carrying out external security audits/assessments/penetration tests of University systems (either on-premise or externally hosted) that you would be willing to share with me? We currently contract external security companies to run audits, vulnerability scans and penetration tests of on premise systems that contain confidential information, however as our suppliers are starting to host systems themselves or as the University procures more and more cloud services, I would really appreciate if you could share any procedures (or any advice) you have on when to carry out external security audit/assessment of systems. Some questions I am hoping to answer is. What criteria is required to decide if a system requires an external security assessment/audit/Penetration test? *(Is it based on the sensitivity of the information in the system, if the system is a bespoke cloud service, if the companies don’t undertake their own external reviews, etc.)* How often should we carry out external security reviews of these systems? *(Routinely every 1 or 2 years, after a major software release or infrastructure upgrade)* How to evaluate which security company is appropriate to undertake a review? *(Company reputation, qualifications or experience of staff, cost!) * Should we request that the security company retest systems after any critical findings are fixed? Should we insist on using different companies for subsequent reviews of the same system? We use the Educause cloud vendor assessment toolkit to help evaluate cloud services, so what I am really looking for is advice on deciding when a security review is required and what is required to ensure a successful review. Any advice would be really appreciated or if you have any procedures or documentation that you would be Thanks in advance, Paul Kennedy [image: UCD Logo] *Paul Kennedy* IT Security Officer UCD IT Services, University College Dublin, Belfield, Dublin 4, Ireland T. +353 1 7162015 E. Paul.Kennedy () ucd ie <your.email () ucd ie> W. www.ucd.ie/itsecurity <http://www.ucd.ie/it/> *Empowering people through IT* *This email is only for the use of its intended recipient. Its contents are subject to a duty of confidence and may be privileged. If you receive it in error please notify the sender.* ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Procedure for carrying out security assessment/audit of systems Paul Kennedy (Oct 31)