Friday, October 07, 2005 David Demarais Integrated Billing 7071 South 13th Street Suite 104 Oak Creek

, WI 53154 Dear David,
The following contains MyCompany's proposal for a network security audit. We, at MyCompany's, feel this solution will meet the needs of Integrated Billing network and data security requirements.

Overview This proposal outlines the scope of work necessary to implement the network security audit at Integrated Billing. The suggested stages will ensure a proper audit, and recommend steps toward securing your environment. Performing a security audit is not a trivial affair. For a moderate sized firm in a single location, total calendar time to complete the audit may be three weeks to a month, dedicating an engineer to the project full time. Security audits, especially for the first audit, are not inexpensive. Costs depend on a wide variety of factors. A firm with a couple of hundred people in a single office with the "normal" array of computer applications found in a typical law firm, might expect to pay $25,000 to $30,000 for a good in-depth security audit. If you have never had a security audit, costs may be higher. In addition, the first time audit is likely to disclose a great number of items which are worthy of further attention (i.e. more time and cost to fix potential security issues). Of course, over time, you can expect to narrow the scope of follow on audits. So costs might possibly be reduced.

Scope of Services Stage 1

Conduct Security Assessment 1. Identification of key personnel to be interviewed for information gathering. 2. Identification of all critical and non-critical security components to be assessed (e.g. firewalls, IDS, proxy, applications, databases, etc.) 3. Conduct a Business Impact Analysis (BIA) that will be used to determine the appropriate controls (technical and administrative) to develop the policies. 4. Identification of all threats, vulnerabilities and security issues in each component. Stage 2 Formulation of Target Security Architecture Designs 1. Conduct logical architecture design of IT security components to organize the physical architecture and implement security in all identified architectures. The logical structure includes processes, technology and people. It consists of perimeter security, antivirus policy, security administration, a Disaster Recovery Plan (DRP), risk and threat analysis, data security, application security, and infrastructure security. 2. Conduct physical architecture design to include network diagrams illustrating firewalls, mail gateways, proxies, modem pools, VLANs, Demiliterized Zone (DMZ), internal and external connections and devices used, and diagrams of other architectures in relation to security architecture. Stage 3 Construction of Policies and Procedures Develop policies and procedures to guide employees on acceptable use. When creating these polices, client will be consulted to achieve a delicate balance between security and the ability to conduct business. Stage 4 Implementation of Target Security Architecture Design Once the conceptual design and all related policies and procedures are developed, implementation of target security architecture can begin. Projects that implement architectural changes will have a plan that defines timelines, budgets, and resources needed to implement these changes. Stage 5 Integration of Security Practices to Maintain Secure Status 1. Change management process: Any changes to networks and other infrastructure components must go through this process. 2. Project management methodology and guidelines will serve to guide various technology projects in the organization. Security should be integrated into these guidelines at all stages necessary by these guidelines.

I would again like to thank you for allowing MyCompany L.L.C. the opportunity to provide for your computer and networking needs.

This solution has been prepared by your personal engineer, John Croson, and reviewed by the technical services team. John can be reached at XXX-XXX-XXX x XXX, or by email at, jcroson@MyCompany.com Please contact John or myself if you have questions or require additional technical information. Sincerely, MyCompany L.L.C. pdolan@MyCompany'snet.com Acceptance of this proposal and statement of work is acknowledged by your authorized signature below. ___________________________________ Accepted By __________________ Title ____________ Date

Sign up to vote on this title
UsefulNot useful