This is a very bad business model. In order to sell themselves to the clients, they generally need to have GIAC or CISSP certifications. Those certifying bodies have codes of ethics. What you have described does not fit into those general codes of ethics. If anyone representing the outsource firm is a CPA, CISA, or CIA (the accounting world certifications for this sort of work), they have broken a really basic ethical requirement.
This is followed more in the breech, but accounting firms that audit for security are not supposed to advise clients on how to fix the problems. The idea is that you cannot honestly audit a company for which you have provided or will provide other services. If they represented the work they did as a SAS70 or other public assurance audit and then took over the jobs of people they assessed, they can be censured by any number of regulatory bodies.
The biggest problem today is that there are flocks of us security folks out of work. I have 10 yrs experience, but no CISSP or CISA, and am considered "too senior" for the jobs that don't require certs. Charitably, I assume that they are referring to me having opinions about process and procedures. Privately, I am less naive.
Just about anyone in the business -- from Joe and Sam's discount security outsourcing down the street to Foundstone/ISS/IBM will sell you vulnerability assessments. These are good things but only part of the process.
What you need:
1. Before you hire anyone, determine what you as a firm are ready to fix, what you are willing to do once the outside company tells you about your problems. Most security issues are based as much in process as in software. If you are being hit a lot and have no idea what to do about it, then you have process problems. The idea that websites are vulnerable is not new. Your firm entered a process without adequate internal ability to support that process. That is not a technical problem and it does not have a technical solution. If you are not going to be willing to change that stance, you will be throwing your money out the window. Outsource the whole web process and find someone who does know how to do what you are doing on the web (comparatively) securely. Firms spend bundles getting bad news and ignoring it. Software and assessments cannot fix process issues.
2. Quick and dirty review of your web presence -- do that first. That should be done by a firm that specializes in web presence assessment. Everyone will tell you they offer that service because the market for security work is stone dead and everyone in the business is desperate. Web site security is different from internal document security is different from extranet security when doing assessments. **BE PREPARED TO FOLLOW RECOMMENDATIONS** Following recommendations may be expensive.
3. Once you have identified whether you are ready to fix your process issues, get someone in who knows both tech and process. This should not, I am very sorry to say, be one of the big auditing firms. Theoretically, it should be. Process is their stock in trade. Unfortunately, real tech response is not. Their business process model does not allow for the specificity that fixing the technical or procedural side of a distributed system installation requires. Their business model requires that at least part of your review can be done by someone fresh out of college depending on a checklist. Or by a software tool. It really can't, unless you have already set up good processes and just need an outside pair of eyes to check on it.
4. Hire someone to handle security for your entire system and **LISTEN TO THAT PERSON.** It will save you thousands in the long run.
Slashdot Mirror
This is a very bad business model. In order to sell themselves to the clients, they generally need to have GIAC or CISSP certifications. Those certifying bodies have codes of ethics. What you have described does not fit into those general codes of ethics. If anyone representing the outsource firm is a CPA, CISA, or CIA (the accounting world certifications for this sort of work), they have broken a really basic ethical requirement. This is followed more in the breech, but accounting firms that audit for security are not supposed to advise clients on how to fix the problems. The idea is that you cannot honestly audit a company for which you have provided or will provide other services. If they represented the work they did as a SAS70 or other public assurance audit and then took over the jobs of people they assessed, they can be censured by any number of regulatory bodies. The biggest problem today is that there are flocks of us security folks out of work. I have 10 yrs experience, but no CISSP or CISA, and am considered "too senior" for the jobs that don't require certs. Charitably, I assume that they are referring to me having opinions about process and procedures. Privately, I am less naive.
Just about anyone in the business -- from Joe and Sam's discount security outsourcing down the street to Foundstone/ISS/IBM will sell you vulnerability assessments. These are good things but only part of the process.
What you need:
1. Before you hire anyone, determine what you as a firm are ready to fix, what you are willing to do once the outside company tells you about your problems. Most security issues are based as much in process as in software. If you are being hit a lot and have no idea what to do about it, then you have process problems. The idea that websites are vulnerable is not new. Your firm entered a process without adequate internal ability to support that process. That is not a technical problem and it does not have a technical solution. If you are not going to be willing to change that stance, you will be throwing your money out the window. Outsource the whole web process and find someone who does know how to do what you are doing on the web (comparatively) securely. Firms spend bundles getting bad news and ignoring it. Software and assessments cannot fix process issues.
2. Quick and dirty review of your web presence -- do that first. That should be done by a firm that specializes in web presence assessment. Everyone will tell you they offer that service because the market for security work is stone dead and everyone in the business is desperate. Web site security is different from internal document security is different from extranet security when doing assessments. **BE PREPARED TO FOLLOW RECOMMENDATIONS** Following recommendations may be expensive.
3. Once you have identified whether you are ready to fix your process issues, get someone in who knows both tech and process. This should not, I am very sorry to say, be one of the big auditing firms. Theoretically, it should be. Process is their stock in trade. Unfortunately, real tech response is not. Their business process model does not allow for the specificity that fixing the technical or procedural side of a distributed system installation requires. Their business model requires that at least part of your review can be done by someone fresh out of college depending on a checklist. Or by a software tool. It really can't, unless you have already set up good processes and just need an outside pair of eyes to check on it.
4. Hire someone to handle security for your entire system and **LISTEN TO THAT PERSON.** It will save you thousands in the long run.
End of rant