Projects: Security - Baseline
Home arrow Projects: Security arrow Page 5 - How To Engage a Security Services Firm















Renew Your Subscription

Projects: Security



How To Engage a Security Services Firm



By John Moore
2007-03-09
Article Views: 10841
Article Rating:starstarstarstarstar / 2

  Table of Contents:
  1. How To Engage a Security Services Firm
  2. ' Use caution when choosing '
  3. ' Define the engagement '
  4. ' Follow the assessment process '
  5. ' Translate reports into action '
  6. ' Who'

An outside consultant can bring fresh insights on a company's security practices. Make sure you establish ground rules first.

Rate This Article:
Poor Best
Add This Article To:

How To Engage a Security Services Firm - ' Translate reports into action '


( Page 5 of 6 )

items">

Translate reports into action items

The external security assessment culminates with the consul-tant's report, which, in some cases, may be two reports.

A preliminary report, ideally, lists the networks and systems examined, the techniques used in testing, the vulnerabilities encountered and suggestions for remediation. This report becomes the basis for setting remediation priorities. Anywhere from a handful to dozens of vulnerabilities may be uncovered. Consultant and customer work together to determine the order in which lapses will be addressed. "Prioritization is where the real work happens," Ullrich says.

Indeed, the parties may need to reconcile their interpretations of the findings. What a consultant deems a security issue may be a risk the customer is willing to take.

EDS' Morrow says a company may have a solid business reason for not complying with a certain security standard. In the outsourcing business, for instance, a customer may require a vendor to host an application on an older operating system that fails to address the latest security benchmark.

Morrow suggests that close communication between consultant and customer can identify such issues so the auditor doesn't spend time pursuing a dead end. He says auditors should "keep in constant contact" with customers and, if a reason exists for a particular case of noncompliance, "note it and move on."

Once priorities are hammered out, Cybertrust's Mack recommends that customers develop a "mini project plan" to address each vulnerability. In a Payment Card Industry audit, this approach lets customers demonstrate to credit card companies which compliance problems are being addressed and within what time frames. "This gives them a leg to stand on … to show they are actively pursing compliance," Mack says.

After the customer completes the remediation phase, the consultant may be brought back in for a final assessment. This audit verifies that changes have been made and leads to a second report, the final version, which documents the testing of remediated systems.




 
 
>>> More Projects: Security Articles          >>> More By John Moore
 



Sponsored Links
  • Get up and running in as quickly as 30 days with BI. Learn how today.

  • FREE Securing Smartphones & Tablets for Dummies Book from Sophos
  • 5 New Technologies That Will Change Enterprise ITAdvertisement
  • Build an IT Infrastructure That Delivers the Future
     
    		•
     
    FEATURED SPONSORED ARTICLES
    FEATURED SPONSORED VIDEOS

     

    Related Content

    Articles Labs/How-To Multimedia


    LATEST STORIES
    - Five Ways to Put Mobile Technology to Work
    - Ten iPhone Apps that Will Save You Money
    - Mobility Transforms the Customer Relationshi...
    - BPM Keeps Pace With Business Changes
    - Speech Recognition Speaks To Businesses


     

     

    Advertisement
    rss graphic
           Baseline Newsletters

    Baseline:  

    Issue Index | Contact Us | About | Magazine Customer Service | Navigation Guide

    Quick Links:  

    Project Planners | Enterprise Resource Planning | Network and Online Security | Data Analysis | Process Management | Storage Devices| Link to Us

    Ziff Davis Enterprise Home | Contact Us | Advertise | Link to Us | Reprints | Magazine Subscriptions | Newsletters
    Tech RSS Feeds | White Papers | Tech Podcasts | Tech Video | VARs | System Builder

    Baseline | Careers | Channel Insider | CIO Insight | DesktopLinux | DeviceForge | DevSource | eSeminars |
    eWEEK | Enterprise Network Security | LinuxDevices | Linux Watch | Microsoft Watch | Mid-market | Networking | PDF Zone |
    Publish | Security IT Hub | Strategic Partner | TechDirect | Technology White Papers | Windows for Devices

    Developer Shed | Dev Shed | ASP Free | Dev Articles | Dev Hardware | SEO Chat | Tutorialized | Scripts |
    Code Walkers | Web Hosters | Dev Mechanic | Dev Archives | igrep

    Use of this site is governed by our Terms of Use and Privacy Policy

    Copyright ©1996-2012 Ziff Davis Enterprise Holdings Inc. All Rights Reserved. eWEEK and Spencer F. Katt are trademarks of Ziff Davis Enterprise Holdings, Inc. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise Inc. is prohibited.