Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
SOW Security

SOW Security



|Views: 924|Likes:
Published by John Croson
Sample statement of work for security audit.
Sample statement of work for security audit.

More info:

Published by: John Croson on Apr 01, 2008
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as DOC, PDF, TXT or read online from Scribd
See more
See less





Friday, October 07, 2005David DemaraisIntegrated Billing7071 South 13th StreetSuite 104Oak Creek, WI 53154Dear David,
The following contains MyCompany's proposal for a network security audit. We, at MyCompany's, feel thissolution will meet the needs of 
Integrated Billing
network and data security requirements.
This proposal outlines the scope of work necessary to implement the network security audit at IntegratedBilling. The suggested stages will ensure a proper audit, and recommend steps toward securing your environment.Performing a security audit is not a trivial affair. For a moderate sized firm in a single location, totalcalendar time to complete the audit may be three weeks to a month, dedicating an engineer to the project fulltime. Security audits, especially for the first audit, are not inexpensive. Costs depend on a wide variety of factors. A firm with a couple of hundred people in a single office with the "normal" array of computer applications found in a typical law firm, might expect to pay $25,000 to $30,000 for a good in-depth securityaudit.If you have never had a security audit, costs may be higher. In addition, the first time audit is likely todisclose a great number of items which are worthy of further attention (i.e. more time and cost to fix potentialsecurity issues). Of course, over time, you can expect to narrow the scope of follow on audits. So costs might possibly be reduced.
Scope of ServicesStage 1
Conduct Security Assessment 
1.Identification of key personnel to be interviewed for information gathering.2.Identification of all critical and non-critical security components to be assessed (e.g. firewalls, IDS, proxy, applications, databases, etc.)3.Conduct a Business Impact Analysis (BIA) that will be used to determine the appropriate controls(technical and administrative) to develop the policies.4.Identification of all threats, vulnerabilities and security issues in each component.
Stage 2
 Formulation of Target Security Architecture Designs
1.Conduct logical architecture design of IT security components to organize the physical architecture andimplement security in all identified architectures. The logical structure includes processes, technologyand people. It consists of perimeter security, antivirus policy, security administration, a Disaster Recovery Plan (DRP), risk and threat analysis, data security, application security, and infrastructuresecurity.2.Conduct physical architecture design to include network diagrams illustrating firewalls, mail gateways, proxies, modem pools, VLANs, Demiliterized Zone (DMZ), internal and external connections anddevices used, and diagrams of other architectures in relation to security architecture.
Stage 3
Construction of Policies and Procedures
Develop policies and procedures to guide employees on acceptable use. When creating these polices,client will be consulted to achieve a delicate balance between security and the ability to conduct business.
Stage 4
 Implementation of Target Security Architecture Design
Once the conceptual design and all related policies and procedures are developed, implementation of target security architecture can begin. Projects that implement architectural changes will have a plan thatdefines timelines, budgets, and resources needed to implement these changes.
Stage 5
 Integration of Security Practices to Maintain Secure Status
1.Change management process: Any changes to networks and other infrastructure components must gothrough this process.2.Project management methodology and guidelines will serve to guide various technology projects inthe organization. Security should be integrated into these guidelines at all stages necessary by theseguidelines.I would again like to thank you for allowing MyCompany L.L.C. the opportunity to provide for your computer and networking needs.

Activity (3)

You've already reviewed this. Edit your review.
1 hundred reads
1 thousand reads

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->