Security Audits

["Steve Goldsby" <Steve () integrate-u com>]

It IS possible to get this down to a repeatable, predictable process.

We've adopted the Keane Productivity Management (PM) Principles.   We've
applied them to each engagement, developing project plans and schedules, and
so now, with rare exception, we do a FULL security audit in 6 weeks.  This
covers data collection, interviews, physical security, social engineering,
policy, backup & recovery, etc etc etc.  And of course, the full scans.

Things that bump this up are extra site visits or uncooperative staff.  As a
sample, we've done :

a 7 campus college.  750 page report.  6 weeks.
a 16 campus hospital.  375 page report.  6 weeks.
a 4 campus college.  260 page report.  6 weeks.

I have a large national hospital in proposal now, but it requires visits to
each of 20 operating locations nationwide.  This one will take  14 weeks due
to travel...

The point to all this rambling is this:  if you break your assessment into
discrete components, and follow your project plan each time, you will find
risk factors that could cause problems, and you'll end up modifying your
process to accomodate them.

We always bill T&M, and to date have NEVER come in over budget.  Ever.

Steve
www.integrate-u.com




----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/