Wide coverage, state gov't experience (Score 1)

#1: Lots of companies can run a scan and tell you "You need to set X on your firewall" or "You need to add patch Y to this server". But as Schneier says, "Security is a process, not a device." You need someone who will look at the big picture. Items a true assessment should look at include:

• Security policies and procedures
• Business continuity planning and disaster recovery
• User account management
• Logging and monitoring
• Incident-response plans
• Security relationships with business partners
• Firewall, DMZ, and VPN configuration
• Router configuration
• Wireless network security
• Dial-up security, including unauthorized or unprotected modems and voice mail security
• Remote access architecture
• Internal server and workstation configuration
• Network topology and internal segregation
• Physical security

#2: Ask for the credentials of the people who will do the actual assessment. Is their experience mainly just in configuring firewalls & servers, or have they done assessments? Have they assessed all of the issues above, or just done scans and "ethical hacking"? Do they have CISSP and/or CISA certifications?

Also, have they done assessments of large, multi-site enterprises, or just small or medium-sized offices? Have they done work for gov't agencies before, or only the private sector?

#3: Lastly, a shameless plug: The entire Texas state government has been using Sprint's E|Solutions division to assess their agencies and state universities. How many others have that kind of large-scale, state gov't experience? Not many, I'd bet.