Scribd Logo
Upload

Welcome to Scribd!

  • SOW Security

    Uploaded by

    John Croson
    1K views3 pages
    Sample statement of work for security audit.

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    DOC, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Sample statement of work for security audit.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    1K views3 pages

    SOW Security

    Uploaded by

    John Croson
    Sample statement of work for security audit.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    Friday, October 07, 2005

    David Demarais
    Integrated Billing
    7071 South 13th Street
    Suite 104
    Oak Creek, WI 53154

    Dear David,

    The following contains MyCompany's proposal for a network security audit. We, at MyCompany's, feel this
    solution will meet the needs of Integrated Billing network and data security requirements.

    Overview
    This proposal outlines the scope of work necessary to implement the network security audit at Integrated
    Billing. The suggested stages will ensure a proper audit, and recommend steps toward securing your
    environment.

    Performing a security audit is not a trivial affair. For a moderate sized firm in a single location, total
    calendar time to complete the audit may be three weeks to a month, dedicating an engineer to the project full
    time. Security audits, especially for the first audit, are not inexpensive. Costs depend on a wide variety of
    factors. A firm with a couple of hundred people in a single office with the "normal" array of computer
    applications found in a typical law firm, might expect to pay $25,000 to $30,000 for a good in-depth security
    audit.

    If you have never had a security audit, costs may be higher. In addition, the first time audit is likely to
    disclose a great number of items which are worthy of further attention (i.e. more time and cost to fix potential
    security issues). Of course, over time, you can expect to narrow the scope of follow on audits. So costs might
    possibly be reduced.

    Scope of Services

    Stage 1
    Conduct Security Assessment
    1. Identification of key personnel to be interviewed for information gathering.
    2. Identification of all critical and non-critical security components to be assessed (e.g. firewalls, IDS,
    proxy, applications, databases, etc.)
    3. Conduct a Business Impact Analysis (BIA) that will be used to determine the appropriate controls
    (technical and administrative) to develop the policies.
    4. Identification of all threats, vulnerabilities and security issues in each component.

    Stage 2
    Formulation of Target Security Architecture Designs
    1. Conduct logical architecture design of IT security components to organize the physical architecture and
    implement security in all identified architectures. The logical structure includes processes, technology
    and people. It consists of perimeter security, antivirus policy, security administration, a Disaster
    Recovery Plan (DRP), risk and threat analysis, data security, application security, and infrastructure
    security.
    2. Conduct physical architecture design to include network diagrams illustrating firewalls, mail gateways,
    proxies, modem pools, VLANs, Demiliterized Zone (DMZ), internal and external connections and
    devices used, and diagrams of other architectures in relation to security architecture.

    Stage 3
    Construction of Policies and Procedures
    Develop policies and procedures to guide employees on acceptable use. When creating these polices,
    client will be consulted to achieve a delicate balance between security and the ability to conduct
    business.

    Stage 4
    Implementation of Target Security Architecture Design
    Once the conceptual design and all related policies and procedures are developed, implementation of
    target security architecture can begin. Projects that implement architectural changes will have a plan that
    defines timelines, budgets, and resources needed to implement these changes.

    Stage 5
    Integration of Security Practices to Maintain Secure Status
    1. Change management process: Any changes to networks and other infrastructure components must go
    through this process.
    2. Project management methodology and guidelines will serve to guide various technology projects in
    the organization. Security should be integrated into these guidelines at all stages necessary by these
    guidelines.

    I would again like to thank you for allowing MyCompany L.L.C. the opportunity to provide for your computer
    and networking needs.
    This solution has been prepared by your personal engineer, John Croson, and reviewed by the technical services
    team. John can be reached at XXX-XXX-XXX x XXX, or by email at, jcroson@MyCompany.com

    Please contact John or myself if you have questions or require additional technical information.

    Sincerely,

    MyCompany L.L.C.
    pdolan@MyCompany'snet.com

    Acceptance of this proposal and statement of work is acknowledged by your authorized signature below.

    ___________________________________ __________________ ____________


    Accepted By Title Date

    You might also like