Security Audits Recommendations


(Samuel Crisp) #1

Who do you use to audit your network for security and reliability?

We get our annual PCI compliance port check, but we are looking to have an annual audit done to ensure our servers and firewalls are keeping the bad stuff out and that we are observing best practices.

Any recommendations?


(Christopher Harvey) #2

We have used local (to Indiana) companies, so I can’t really recommend a specific vendor, but I can mention what we have done and about how much we’ve paid with 3 different vendors for annual security audits over the past 3 years.
We typically pay $15k-$18k each year for the following

  • Security Assessment & gap analysis - about $4k
  • Phishing and pretext calling tests - about $3k
  • Penetration test - $5k
  • Internal vulnerability scan (70 production server IPs) $3k-$5k

Of course, we are an insurance company and must have these done as part of compliance; so it’s possible we are paying a higher rate??

Hope that helps.


(Breffni Potter) #3

I’ve seen pen tests as high as 50k USD to 5k USD.

There is a lot of smoke and mirrors in this market and a lot of dishonest providers. Even within PCI compliance checks, A situation came up where a company that deals in really private data had a web app that was woefully insecure, I ran a PCI check, it failed on so many points, turns out the developer who built the app, every time the bank scanned the app, he would phone the bank and argue with them that their test was wrong until they gave him a passing grade.

Security is really not difficult. I’d argue unless you are running external services (Why are you) or have money to burn, then get pen tests.