Procedure for carrying out security assessment/audit of systems

[Paul Kennedy <paul.kennedy () UCD IE>]

Hello Everyone,

Perhaps this has been covered before, but if not, I am wondering if you
have any policies, procedures, guidelines or advice on carrying out
external security audits/assessments/penetration tests of University
systems (either on-premise or externally hosted) that you would be willing
to share with me?

We currently contract external security companies to run audits,
vulnerability scans and penetration tests of on premise systems that
contain confidential information, however as our suppliers are starting to
host systems themselves or as the University procures more and more cloud
services, I would really appreciate if you could share any procedures (or
any advice) you have on when to carry out external security
audit/assessment of systems.

Some questions I am hoping to answer is.

What criteria is required to decide if a system requires an external
security assessment/audit/Penetration test?

*(Is it based on the sensitivity of the information in the system, if the
system is a bespoke cloud service, if the companies don’t undertake their
own external reviews, etc.)*

How often should we carry out external security reviews of these systems?

*(Routinely every 1 or 2 years, after a major software release or
infrastructure upgrade)*

How to evaluate which security company is appropriate to undertake a
review?

*(Company reputation, qualifications or experience of staff, cost!)  *

Should we request that the security company retest systems after any
critical findings are fixed?

Should we insist on using different companies for subsequent reviews of the
same system?

We use the Educause cloud vendor assessment toolkit to help evaluate cloud
services, so what I am really looking for is advice on deciding when a
security review is required and what is required to ensure a successful
review.

Any advice would be really appreciated or if you have any procedures or
documentation that you would be

Thanks in advance,
Paul Kennedy

[image: UCD Logo] *Paul Kennedy*
IT Security Officer
UCD IT Services, University College Dublin, Belfield, Dublin 4, Ireland
T. +353 1 7162015 E. Paul.Kennedy () ucd ie <your.email () ucd ie> W.
www.ucd.ie/itsecurity <http://www.ucd.ie/it/>
*Empowering people through IT*
*This email is only for the use of its intended recipient.  Its contents
are subject to a duty of confidence and may be privileged.  If you receive
it in error please notify the sender.*

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community