Page 5 - How To Engage a Security Services Firm

Projects: Security - Baseline

Home

Projects: Security

Renew Your Subscription

Projects: Security

How To Engage a Security Services Firm
By John Moore
2007-03-09

Article Views: 2449
Article Rating:

/ 1

Table of Contents:

Rate This Article:

Add This Article To:

Digg this

Del.icio.us

Slashdot

Y! My Web

E-mail

Furl

Google

Simpy

Spurl!

PDF Version

How To Engage a Security Services Firm - ' Translate reports into action '
( Page 5 of 6 )

items">

Translate reports into action items

The external security assessment culminates with the consul-tant's report, which, in some cases, may be two reports.

A preliminary report, ideally, lists the networks and systems examined, the techniques used in testing, the vulnerabilities encountered and suggestions for remediation. This report becomes the basis for setting remediation priorities. Anywhere from a handful to dozens of vulnerabilities may be uncovered. Consultant and customer work together to determine the order in which lapses will be addressed. "Prioritization is where the real work happens," Ullrich says.

Indeed, the parties may need to reconcile their interpretations of the findings. What a consultant deems a security issue may be a risk the customer is willing to take.

EDS' Morrow says a company may have a solid business reason for not complying with a certain security standard. In the outsourcing business, for instance, a customer may require a vendor to host an application on an older operating system that fails to address the latest security benchmark.

Morrow suggests that close communication between consultant and customer can identify such issues so the auditor doesn't spend time pursuing a dead end. He says auditors should "keep in constant contact" with customers and, if a reason exists for a particular case of noncompliance, "note it and move on."

Once priorities are hammered out, Cybertrust's Mack recommends that customers develop a "mini project plan" to address each vulnerability. In a Payment Card Industry audit, this approach lets customers demonstrate to credit card companies which compliance problems are being addressed and within what time frames. "This gives them a leg to stand on … to show they are actively pursing compliance," Mack says.

After the customer completes the remediation phase, the consultant may be brought back in for a final assessment. This audit verifies that changes have been made and leads to a second report, the final version, which documents the testing of remediated systems.

Next: ' Who' >>

	Discuss How To Engage a Security Services Firm

	>>> Be the FIRST to comment on this article!



	>>> More Projects: Security Articles >>> More By John Moore

Email Article To Friend ♦ Print Version Of Article ♦ PDF Version Of Article

FREE ZIFF DAVIS ENTERPRISE ESEMINARS AT ESEMINARSLIVE.COM

Dec 3, 4 p.m. ET
Essential Archive Requirements for E-Discovery with Michael Krieger. Sponsored by Dell MessageOne

Dec 8, 12 p.m. ET
Hewlett-Packard Company Extreme Storage: How to Ensure Massive Scalability on a Limited Budget with Michael Vizard. Sponsored by HP

Dec 8, 1 p.m. ET
Using Virtualization to Drive Compliance with Aaron Goldberg. Sponsored by HP/Intel/VMware

Dec 9, 12 p.m. ET
Enabling the Virtual Data Center Simply and Cost-Effectively with Aaron Goldberg. Sponsored by Dell EqualLogic

Dec 9, 4 p.m. ET
A Secure System is a Well Managed System with Joel Shore. Sponsored by KACE

Dec 10, 12 p.m. ET
Big Benefits, and It's Easier than You Think - Migrating RISC-Based Systems to Industry Standards with Aaron Goldberg. Sponsored by Dell & Intel

Dec 10, 2 p.m. ET
The Windows Server Virtualization Platform with Jospeh Maglitta. Sponsored by Unisys

Dec 11, 1 p.m. ET
A Customer Survey - What Real Organizations Want And Need from Blade Servers with Aaron Goldberg. Sponsored by Dell & Intel Blades

More Upcoming Events!


		Discover Your Potential – Villanova 100% online! Interactive, Real-Time Reporting: 60-Day Trial Increase efficiency with Dell PartnerDirect Let Cisco Transform Your Business With 802.11n Work Less. Deliver More. Try Crystal Reports® Server 2008 Avoid the crash. Arm your Road Warriors with SSD Get the new Treo™ Pro smartphone by Palm® Microsoft SQL Server 2008. Learn More. PAY UP TO 30% LESS FOR COLOR PRINTING. Get a free trial of Fair Isaac® Blaze Advisor®. Get Tech On Tap technical enewsletter from NetApp. Download the “Best Antivirus Product of 2007” Improve the customer experience with Dialogue

SPONSOR CONTENT

Higher performance and lower energy costs – who knew your datacenter could accomplish both?

Click here to find out how.

Sponsored by

FEATURED ZIFF DAVIS ENTERPRISE CONTENT

BASELINE MOBILE IS HERE!

News for IT Leaders On-the-Go!

For the most up to date content for implementing information technology from our knowledgeable and trusted editors, visit our mobile site from your handheld device.

Go to
mobile.baselinemag.com

	LATEST STORIES
	- U.S. Entered Recession December 2007 - 13 Ways to Cut IT Costs Now - Baidu Vows Overhaul After Search Scandal - Mobile Phones Distract Drivers More than Pas... - Microsoft Yahoo Deal Total Fiction

Baseline:	Issue Index \| Contact Us \| About \| Media Kit \| Magazine Customer Service \| Navigation Guide
Quick Links:	Project Planners \| Enterprise Resource Planning \| Network and Online Security \| Data Analysis \| Process Management \| Storage Devices\| Link to Us

	Ziff Davis Enterprise Home \| Contact Us \| Advertise \| Link to Us \| Reprints \| Magazine Subscriptions \| Newsletters Tech RSS Feeds \| White Papers \| Tech Podcasts \| Tech Video \| VARs \| System Builder
	Baseline \| Careers \| Channel Insider \| CIO Insight \| DesktopLinux \| DeviceForge \| DevSource \| eSeminars \| eWEEK \| Enterprise Network Security \| LinuxDevices \| Linux Watch \| Microsoft Watch \| Mid-market \| Networking \| PDF Zone \| Publish \| Security IT Hub \| Strategic Partner \| Web Buyer's Guide \| Windows for Devices
	Developer Shed \| Dev Shed \| ASP Free \| Dev Articles \| Dev Hardware \| SEO Chat \| Tutorialized \| Scripts \| Code Walkers \| Web Hosters \| Dev Mechanic \| Dev Archives \| igrep Use of this site is governed by our Terms of Use and Privacy Policy
	Copyright ©1996-2008 Ziff Davis Enterprise Holdings Inc. All Rights Reserved. eWEEK and Spencer F. Katt are trademarks of Ziff Davis Enterprise Holdings, Inc. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise Inc. is prohibited.

Baseline:	Issue Index \| Contact Us \| About \| Media Kit \| Magazine Customer Service \| Navigation Guide
Quick Links:	Project Planners \| Enterprise Resource Planning \| Network and Online Security \| Data Analysis \| Process Management \| Storage Devices\| Link to Us

	Ziff Davis Enterprise Home \| Contact Us \| Advertise \| Link to Us \| Reprints \| Magazine Subscriptions \| Newsletters Tech RSS Feeds \| White Papers \| Tech Podcasts \| Tech Video \| VARs \| System Builder
	Baseline \| Careers \| Channel Insider \| CIO Insight \| DesktopLinux \| DeviceForge \| DevSource \| eSeminars \| eWEEK \| Enterprise Network Security \| LinuxDevices \| Linux Watch \| Microsoft Watch \| Mid-market \| Networking \| PDF Zone \| Publish \| Security IT Hub \| Strategic Partner \| Web Buyer's Guide \| Windows for Devices
	Developer Shed \| Dev Shed \| ASP Free \| Dev Articles \| Dev Hardware \| SEO Chat \| Tutorialized \| Scripts \| Code Walkers \| Web Hosters \| Dev Mechanic \| Dev Archives \| igrep Use of this site is governed by our Terms of Use and Privacy Policy
	Copyright ©1996-2008 Ziff Davis Enterprise Holdings Inc. All Rights Reserved. eWEEK and Spencer F. Katt are trademarks of Ziff Davis Enterprise Holdings, Inc. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise Inc. is prohibited.