RE: Pen-testing - pricing model

["Michael Scheidell" <scheidell () secnap net>]

> -----Original Message-----
> From: listbounce () securityfocus com 
> [mailto:listbounce () securityfocus com] On Behalf Of Chris Stromblad
> Sent: Thursday, November 30, 2006 5:00 AM
> To: pen-test () securityfocus com
> Subject: Pen-testing - pricing model
>
>
> Hi list,
>
>
> Say I were to give you one of the following scenarios, what would you 
> charge (roughly):
>
> 1. "Black box with shades of gray", 2 /24 networks, not all 
> devices are 
> active. External scan.

Mostly included in the total below price, you are looking for either on
onsite IT security audit, or an IT security audit with a 'compliance'
component (what regs?)
> 2. Internal scan, only devices
How many?

> 3. Internal scan, procedures, physical security and devices
How many (again) 

For procedures, are you talking:  
1) standard IT security best practices (policy gap analysis, conformance
to policy?)
2) HIPAA, GLBA, SOX, PCI, FERPA, OTC, OCC, NIST (oh, you are in .se.. )
   would depend, mostly, maybe ISO 17799 (2700x)

For physical security? How many locations, where are they located?

You would be expected to pay for onsite visits, time and mileage, per
diem, travel expenses.

> I know this question is somewhat difficult to answer, because 
> there is 
> no correct answer, but any advice is welcome.

Also, US pricing would be different than EU pricing anyway.

-- 
Michael Scheidell, CTO
SECNAP Network Security Corporation
Web based security and privacy training
http://www.secnap.com/training

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------