Re: Security Audit

[H Carvey <keydet89 () yahoo com>]

Well, it's not clear what your mix of systems
is...20-40 users and servers is a start.  
How about routers, firewalls, other devices?

In a nutshell, and without knowing more
information, a well-planned security audit
(ie, vulnerability assessment) can be conducted
on-site in less than a day....that's
just the collection of technical information.  If
the audit/assessment is to include 
personnel interviews, with your size, the
necessary interviews could be easily
included in that time.  

Again, without knowing more about what systems you
have and what the 
proposed scope of work looks like, I'd say 3
people on-site for one full day to 
get a vulnerability assessment done.  But this
assumes some things...they have 
all of the tools they need, have planned things
out, and have your full cooperation.

The penetration test is another matter.  This is a
'sexy' service that is really already
covered by the vulnerability assessment...by
looking at things from the inside, you 
can secure them relatively well against external
attack.  

These days, the only real value of pen tests is to
assess your IR team's capabiliites.



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/