It IS possible to get this down to a repeatable, predictable process. We've adopted the Keane Productivity Management (PM) Principles. We've applied them to each engagement, developing project plans and schedules, and so now, with rare exception, we do a FULL security audit in 6 weeks. This covers data collection, interviews, physical security, social engineering, policy, backup & recovery, etc etc etc. And of course, the full scans. Things that bump this up are extra site visits or uncooperative staff. As a sample, we've done : a 7 campus college. 750 page report. 6 weeks. a 16 campus hospital. 375 page report. 6 weeks. a 4 campus college. 260 page report. 6 weeks. I have a large national hospital in proposal now, but it requires visits to each of 20 operating locations nationwide. This one will take 14 weeks due to travel... The point to all this rambling is this: if you break your assessment into discrete components, and follow your project plan each time, you will find risk factors that could cause problems, and you'll end up modifying your process to accomodate them. We always bill T&M, and to date have NEVER come in over budget. Ever. Steve www.integrate-u.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Fri Sep 07 2001 - 10:54:25 PDT