-----Original Message-----
From: listbounce@securityfocus.com
[mailto:listbounce@securityfocus.com] On Behalf Of Chris Stromblad
Sent: Thursday, November 30, 2006 5:00 AM
To: pen-test@securityfocus.com
Subject: Pen-testing - pricing model
Hi list,
Say I were to give you one of the following scenarios, what would you
charge (roughly):
1. "Black box with shades of gray", 2 /24 networks, not all
devices are
active. External scan.
Mostly included in the total below price, you are looking for either on
onsite IT security audit, or an IT security audit with a 'compliance'
component (what regs?)
2. Internal scan, only devices
How many?
3. Internal scan, procedures, physical security and devices
How many (again)
For procedures, are you talking:
1) standard IT security best practices (policy gap analysis, conformance
to policy?)
2) HIPAA, GLBA, SOX, PCI, FERPA, OTC, OCC, NIST (oh, you are in .se.. )
would depend, mostly, maybe ISO 17799 (2700x)
For physical security? How many locations, where are they located?
You would be expected to pay for onsite visits, time and mileage, per
diem, travel expenses.
I know this question is somewhat difficult to answer, because
there is
no correct answer, but any advice is welcome.
Also, US pricing would be different than EU pricing anyway.
--
Michael Scheidell, CTO
SECNAP Network Security Corporation
Web based security and privacy training
http://www.secnap.com/training
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
