Yigit Turgut wrote: > Hello Everyone, > > Company I am working for is planning to hire a 3rd party Security Auditing > company and they wanted to have opinions from us. > We have a 120 client internal network configured with various Cisco > equipment and a wide-range wireless as well as 2 webservers and 3 ftp. > > Any suggestions ? > > Thank you > In addition to what the others have said, I suggest you consider the following: IT 'security' is in many ways like physical security (and physical security is a critical part of an IT security strategy too, but I digress). The point is that security is a relative thing, not an absolute. You have to decide how valuable your data is/systems are, Then you have to decide how much you are willing to spend in time, effort, money, and inconvenience to obtain a level of security appropriate for your needs. You will never be able to obtain a completely secure system. An analogy is life insurance, you only need as much insurance as you need, nothing more, and nothing less. In other words, you balance risk with cost. My only recommendation would be to ensure that whomever you contract to assess your security systems first defines/assesses what your security needs actually are. There are a lot of people who will do the 'job', but the right way to do the job is to first identify the level of security needed, and the what compromises can be made to obtain that security level. Because of this needs assessment, a security audit is a very complex thing to do, and can be expensive. On the other hand, if you have a lot to lose, it is worth doing right. It also means that by definition there is no one-size-fits-all security policy. It must always be tailored. On the other hand, there are cheap and easy things you can do to maintain a rudimentary level of security, and a good consultant will be able to identify where your basics are effective, and where they need improvement. Rolf -- http://www.piclist.com PIC/SX FAQ & list archive View/change your membership options at http://mailman.mit.edu/mailman/listinfo/piclist