Educause Security Discussion
mailing list archives
Re: sample audit RFP
From: Georgia Killcrece <georgia () CERT ORG>
Date: Wed, 19 Sep 2007 09:52:53 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Youngquist, Jason R. wrote:
Does anyone have a sample RFP for a comprehensive IT security audit that
you would be willing to share?
Network Engineer - Security
1001 Rogers Street, Columbia, MO 65216
jryoungquist () ccis edu
I saw your message about the RFP for IT security audit, and although it
is not specifically an audit tool, you might want to have a look at
our Incident Management Capability Metrics at
It looks at practices within the end-to-end incident management
activities and can be used in a 'self-assessment' approach. This
method is currently being used within the DoD community where all their
computer network defense 'service providers' must be certified and
accredited. It has also been transitioned to the Federal government
agencies (who are using it as a self-assessment tool). From that
work, the SEI has been able to take the work and transition it out
to a broader community.
Take a look and if you find that it is of use, we'd be interested
in your feedback.
CERT(R)-Certified Computer Security Incident Handler
CSIRT Development Team
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890 U.S.A.
Key ID: 0xFA1A135E
Fingerprint: 0089 77C6 5BEB 810A 1C35 96A5 47A8 F036 FA1A 135E
The CERT Coordination Center is part of the Software Engineering
Institute (SEI). The SEI is sponsored by the U.S. Department of Defense.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
-----END PGP SIGNATURE-----