#1: Lots of companies can run a scan and tell you "You need to set X on your firewall" or "You need to add patch Y to this server". But as Schneier says, "Security is a process, not a device." You need someone who will look at the big picture. Items a true assessment should look at include:
Security policies and procedures
Business continuity planning and disaster recovery
User account management
Logging and monitoring
Incident-response plans
Security relationships with business partners
Firewall, DMZ, and VPN configuration
Router configuration
Wireless network security
Dial-up security, including unauthorized or unprotected modems and voice mail security
Remote access architecture
Internal server and workstation configuration
Network topology and internal segregation
Physical security
#2: Ask for the credentials of the people who will do the actual assessment. Is their experience mainly just in configuring firewalls & servers, or have they done assessments? Have they assessed all of the issues above, or just done scans and "ethical hacking"? Do they have CISSP and/or CISA certifications?
Also, have they done assessments of large, multi-site enterprises, or just small or medium-sized offices? Have they done work for gov't agencies before, or only the private sector?
#3: Lastly, a shameless plug: The entire Texas state government has been using Sprint's E|Solutions division to assess their agencies and state universities. How many others have that kind of large-scale, state gov't experience? Not many, I'd bet.
Slashdot Mirror
- Security policies and procedures
- Business continuity planning and disaster recovery
- User account management
- Logging and monitoring
- Incident-response plans
- Security relationships with business partners
- Firewall, DMZ, and VPN configuration
- Router configuration
- Wireless network security
- Dial-up security, including unauthorized or unprotected modems and voice mail security
- Remote access architecture
- Internal server and workstation configuration
- Network topology and internal segregation
- Physical security
#2: Ask for the credentials of the people who will do the actual assessment. Is their experience mainly just in configuring firewalls & servers, or have they done assessments? Have they assessed all of the issues above, or just done scans and "ethical hacking"? Do they have CISSP and/or CISA certifications?Also, have they done assessments of large, multi-site enterprises, or just small or medium-sized offices? Have they done work for gov't agencies before, or only the private sector?
#3: Lastly, a shameless plug: The entire Texas state government has been using Sprint's E|Solutions division to assess their agencies and state universities. How many others have that kind of large-scale, state gov't experience? Not many, I'd bet.