Greg

    Thank you for the update from Michael Keane.

     Would you also mind telling us whether a proposed/actual contract exists with GreyCastle, whether it has been reviewed by Chris Imlay and the proposed cost of GreyCastle's services?

    Thanks.
73


-----------------------------------------------------

       John Robert Stratton       
                 
                        N5AUS                      



       Office telephone:    512-445-6262
       Cell:                         512-426-2028
                      PO Box 2232
            Austin, Texas 78768-2232


-----------------------------------------------------



On 4/22/15 9:18 AM, G Widin wrote:
Here is the detail on the selection of the security assessment firm.  Provided by Mike Keane through Barry Shelley.
73,
          Greg, K0GW


-------- Original Message --------
Subject: Re: FW: [arrl-odv:24200] Re: Summary of LoTW Study Committee meeting
From: "Keane, Michael, K1MK" <mkeane@arrl.org>
To: "Shelley, Barry, N1VXY" <bshelley@arrl.org>
CC:

OK, let me try to put down some words as a starting point, I'd begin a listing of our selection criteria with:
  • We wanted a consultancy for whom security was a core business activity -- we spoke to a number of IT services companies and VARs in the Hartford / Springfield / New Haven area  who could have provided us with the services of "their security guy". We instead choose to engage a firm where all members of the technical staff are security professionals.
  • Along the same lines, we wanted a firm whose staff objectively demonstrated their competence by holding current security-industry certifications. For lack of a better frame of reference I fell  back upon my previous life and employed the DoD's ranking of certifications in the Information Assurance Workforce (<http://iase.disa.mil/iawip/Pages/index.aspx>) in evaluating potential consultants. That ranking is:

    • Level III (the highest):

      • CISA
      • GCED
      • CISSP
      • CASP
      • GCIH
    • Level II:
      • GSEC
      • Security+
      • SSCP
      • CCNA-Security
    • Level I:
      • A+
      • Network+
      • SSCP
      • CCNA-Security
The details of the alphabet soup aren't what's important. What is relevant is that GreyCastle's staff hold many of the higher level certifications on that list while the other firms that we interviewed had few if any. A lack of formal certification was the basis for immediate elimination from further consideration.
  •  We wanted an assessment that was responsive to our needs. Standard security assessments are becoming a "commodity" service. We were looking for a consult who would be able to "dig a little deeper" and provide us with additional value beyond just confirming the results of the assessments that we have already performed in-house.  
-- 
 Michael Keane, K1MK
 IT Manager
 ARRL, The National Association for Amateur Radio™
 225 Main Street, Newington, CT 06111-1494 USA
 Telephone: (860) 594-0285
 email: mkeane@arrl.org




_______________________________________________
arrl-odv mailing list
arrl-odv@reflector.arrl.org
https://reflector.arrl.org/mailman/listinfo/arrl-odv