Well, it's not clear what your mix of systems is...20-40 users and servers is a start. How about routers, firewalls, other devices? In a nutshell, and without knowing more information, a well-planned security audit (ie, vulnerability assessment) can be conducted on-site in less than a day....that's just the collection of technical information. If the audit/assessment is to include personnel interviews, with your size, the necessary interviews could be easily included in that time. Again, without knowing more about what systems you have and what the proposed scope of work looks like, I'd say 3 people on-site for one full day to get a vulnerability assessment done. But this assumes some things...they have all of the tools they need, have planned things out, and have your full cooperation. The penetration test is another matter. This is a 'sexy' service that is really already covered by the vulnerability assessment...by looking at things from the inside, you can secure them relatively well against external attack. These days, the only real value of pen tests is to assess your IR team's capabiliites. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue Sep 04 2001 - 10:49:13 PDT