Computerworld - For the first time in my experience, I have an entire year to prepare for a technology risk assessment. And the assessment will be done by an outside consulting service. I'm a bit excited. From my perspective, this is an opportunity to come out smelling like a rose. Of course, I realize that one or more serious security deficiencies that I'm not aware of could be unearthed, but I feel pretty confident (while remembering that "pride goeth before a fall").
This all occurred suddenly. I thought that a self-assessment was all that was required. But a mandate apparently came down from the Centers for Medicare and Medicaid Services (CMS), stating that all government agencies that operate within the Health Insurance Portability and Accountability Act's guidelines must obtain a risk assessment from an outside consultancy. Besides that, our auditors weren't thrilled with the documentation of our self-assessment.
It's not that we don't know how to document what we do. It's just that sometimes we have to make choices. My boss had told me not to spend my time preparing documentation. He didn't think it was necessary, and I didn't really have the time. In this small agency, I need to spend my days implementing security technologies and tightening access controls, not writing reports. Besides, I can eyeball a firewall configuration and see where changes need to be made, but explaining what I did and why for auditors is another matter.
My boss asked me to get a quote for services "today." That's next to impossible, I said, but I'll knock myself out trying. He had good reason to rush. Budgets were about to be finalized for the coming fiscal year, and we were going to have to squeeze this quote for services into the budget before it went up to the director's office. I gave my boss my estimate of the cost of an assessment and then got to work.
As I reviewed my list of contacts in the information security world, I thought of a guy I had recently met who works for a well-known consulting firm with a good reputation. We had exchanged contact information and talked about meeting to discuss security. Well, why not? I shot him an e-mail, and he replied fast, setting up a conference call with all the powers that be for the following day. I invited my boss to take part, and within 24 hours of receiving my boss's e-mail, we had a statement of work in our hands.
For my boss, that meant he could include a figure for the audit in the budget. For me, having that statement of work piqued my curiosity. How, I wondered, would this consulting firm perform the risk assessment, and what tools would the consultants use? Part of my curiosity arose from having been a full-time security consultant for several years. Having prepared similar documents for clients over the years, I was interested in seeing how a statement of work from a large professional services firm stacked up against what I had done.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
