Fred Cohen & Associates provides standardized information security assessments at firm fixed prices ranging from rapid future architecture planning sessions to full protection posture assessments. These studies are summarized here along with sample statements of work using our standard SOW forms.
Security Architecture Future Study: This study is a standardized review of key elements of enterprise security architecture following the Security Decisions approach. In this study, one security expert does a 2-day telephone meeting with 3-5 key enterprise security architects to lay out the future directions for your enterprise security architecture. A set of about 30 key decisions are made during the two days on site and a write-up of those decisions is provided as a deliverable within 10 days of the conference call. Sample SOW
Optional Security Architecture RoadMap Add-on: This is an add-on to the security architecture future study that augments the study with a roadmap of how the enterprise can get from their current situation to the future state. During the future study additional information on the current security architecture is collected and a roadmap is generated as a second report to indicate how the enterprise can reasonably transition from the current state to the future state. If ordered without a future study, a future study will be used as a replacement for this ordered item. Sample SOW
Minimum Information Security Rapid Assessment: This is the minimum level information security rapid assessment offered by our teams. In this assessment a team of 2 people do an on-site visit for 2 days to review security issues within the enterprise. This includes a variety of small-scale tests of security issues with select systems, a vulnerability scan, and a variety of interviews. 14 days after the site visit is completed, a draft report of 20-35 pages is produced identifying the current security state and likely urgent, tactical and strategic changes required to meet reasonable and prudent security levels in reasonable time frames. Sample SOW
Full Information Security Rapid Assessment: This is the full level information security rapid assessment offered by our teams. This assessment augments the minimal rapid assessment with more comparison information including evaluation against security standards ISO177989, GAISP, and CMM-SEC, and a comparison to other comparable companies that have had similar studies performed. 14 days after the site visit is completed, a draft report of 35-70 pages is produced identifying the current security state and likely urgent, tactical and strategic changes required to meet reasonable and prudent security levels in reasonable time frames. Sample SOW
Information Protection Posture Assessment: This is a standard information protection posture assessment offered to major enterprises world wide. It includes a groups of experts visiting several sites over a 5-day period, focused penetration testing and in-depth interviews with scores of people, and a full-up report on the current situation with respect to information protection at the enterprise. Sample SOW
Long-Term Future Security Architecture Study: This study gathers together 5 or more experts on information security and your type of business for several days to generate ideas and discuss options for long-term (10-year) security vision and architecture for your organization. About 20-days after the end of the meeting, a set of initial presentation slides are provided for three options of the long-term future security architecture. The client then picks one to be detailed and we create in-depth final presentation slides within 10 days. Sample SOW
Policy Reconciliation Study: This study reconciles up to 25 client policies against ISO17799 or another specified and agreed policy framework to produce a reconciliation matrix and a by reference policy (a policy framework with elements identified from existing policies in that policy and copied over, inconsistencies identified). It is the best approach we have to generating a new standards-based policy that is consistent with existing policies. Sample SOW