Before you complete your plans for your upgrade path, you might want to hire a professional to review your infrastructure and assumptions. That is just what I did.
Before doing my upgrade, I wanted to be sure my infrastructure would be up-to-date with current standards. The following 2-part document first qualifies the person giving advice and then presents 25 questions I needed that person to answer.
(As each of the 254 questions are covered on the CISSP exam, a competent consultant should be able to guide you in the right direction.)
Feel free to adjust the estimates of person-hours for each task. The estimates below are for a company with about 50 servers, 50 network devices, and a WAN / MPLS covering a dozen offices across the US.
RFQ Goal: THE COMPANY desires to contract with a consultant who will, on an annual basis, review THE COMPANY’s compliance with its own security policies and standards. The consultant will summarize their findings in a brief report, including any recommendations for future improvement. In addition, as planning for a major upgrade is underway, additional recommendations for the upgraded system are expected.
Consultant Background: The consultant will be an individual skilled and experienced in this task. The consultant will have no less than five years experience in the information security field.
Credentials: The consultant must have at least one of the following credentials and furnish verification that the credential is current:
* Certified Information Systems Security Professional (CISSP)
* Certified Information Systems Auditor (CISA)
* Certified Information Security Manager (CISM)
Work to be Performed:
* THE COMPANY will send the consultant a Purchase Order authorizing the start of the engagement. Depending on consultant availability, the engagement is expected to take from four to ten weeks to compete.
* Supporting material review: Within two weeks of receiving a purchase order authorizing work to begin, the consultant will spend 6 to 8 hours reviewing any supporting materials provided by THE COMPANY (typically answers to prior security assessments) and developing follow-up questions.
* Estimated consulting time: 8 hours.
* Follow-up questions: Within four weeks of receiving a purchase order authorizing work to begin, the consultant will then email those questions to a designated contact at THE COMPANY and then read any answers that are returned.
* Estimated consulting time: 2 hours.
* Within six weeks of receiving a purchase order authorizing work to begin, the consultant will then spend up to 4 hours on-site at THE COMPANY’s data center, asking questions to validate readings.
* Estimated consulting and travel time: 8 hours.
* Within six weeks of receiving a purchase order authorizing work to begin, the consultant will use an industry standard tool of their choosing and at their cost, to attempt a penetration test of THE COMPANY’s system.
* Estimated consulting time: 16 hours.
* Within eight weeks of receiving a purchase order authorizing work to begin, the consultant will then use Microsoft Word to fill in a twenty-five question survey with their observations and recommendations and email their report to their contact at THE COMPANY. Any question not applicable to a security assessment may be left blank.
* Estimated consulting time: 2 hours.
* Within nine weeks of receiving a purchase order authorizing work to begin, the consultant will conduct a conference call reviewing their findings.
* Within ten weeks of receiving a purchase order authorizing work to begin, the consultant will The agrees to forward to THE COMPANY copies of all supporting documents and other working papers and products performed on behalf of THE COMPANY, and also provide THE COMPANY with an invoice for the amount agreed to in the Purchase Order. THE COMPANY will pay the invoice within fifteen days.
* The consultant agrees that all information, working papers, and work results gathered and developed as a result of this engagement are the confidential property of THE COMPANY and will not be divulged to any other person or organization than contacts at THE COMPANY.
25 Question Security Assessment for
(Company Name and location: )
Date of consultant contract:
Date of review meeting:
* Access Control
o 01. Categories and Controls
o 02. Control Threats and Measures
* Application Security
o 03. Software Based Controls
o 04. Software Development Lifecycle and Principles
* Business Continuity and Disaster Recovery Planning
o 05. Response and Recovery Plans
o 06. Restoration Activities
o 07. Basic Concepts and Algorithms
o 08. Signatures and Certification
o 09. Cryptanalysis
* Information Security and Risk Management
o 10. Policies, Standards, Guidelines and Procedures
o 11. Risk Management Tools and Practices
o 12. Planning and Organization
* Legal, Regulations, Compliance and Investigations
o 13. Major Legal Systems
o 14. Common and Civil Law
o 15. Regulations, Laws and Information Security
* Operations Security
o 16. Media, Backups and Change Control Management
o 17. Controls Categories
* Physical (Environmental) Security
o 18. Layered Physical Defense and Entry Points
o 19. Site Location Principles
* Security Architecture and Design
o 20. Principles and Benefits
o 21. Trusted Systems and Computing Base
o 22. System and Enterprise Architecture
* Telecommunications and Network Security
o 23. Network Security Concepts and Risks
o 24. Business Goals and Network Security
* Penetration Test
o 25. Description of test approach, results, and recommendations.