In Coopers & Lybrand's Words: Solution Summary
 It is our desire to provide PRIS with timely and meaningful information after assessing the security environments of its various organizations. In that light, we have developed the following strategy for providing value-added deliverables to PRIS.
At the outset of our security assessment procedures at every PRIS location, we will review our anticipated timeline for initiating and completing each major phase of the project. At the conclusion of each major phase of the assessment project--for example, the NT Server security assessment--we will provide a draft report that outlines the security-related findings and observations resulting from t
he detailed work-program tasks performed, along with recommendations for mitigating risks and vulnerabilities. This report will be provided in draft and later consolidated with other reports resulting from completed phases of the organization's security assessment.
At the conclusion of our fieldwork, we will consolidate interim draft documents as described above; present a consolidated draft of our findings, observations and recommendations to PRIS of the assessed organization; revise our draft document based on comments received from the assessed organization; revise our draft document based on comments received from the PRIS corporate security council; and issue a final document to the PRIS corporate management of the assessed organization.
Potential findings developed during the execution of our work programs will be discussed with appropriate personnel as they are uncovered.
At the conclusion of our assessment, a security infrastructure design will be possible. Many geographically dispersed compa
nies with diverse computing and network environments are using the open systems of Web and Internet standards to communicate securely among all locations. The diagram (on page 60) depicts a possible network security infrastructure for PRIS. Each office uses redundant Internet connections with the supporting firewalls and intrusion-prevention mechanisms. Encrypted tunneling VPNs (virtual private networks) can be established among all of the offices. Even remote users, such as IS staff and executives, can securely connect to the corporate network. Eventually, customers and trading partners also can be included in the circle of trust created by these VPNs.
Coopers & Lybrand
Pros:
Large organization able to offer a range of services, including application-level inspection
Cons:
Moderately expensive for what is proposed; doesn't thoroughly address all issues
Network Computing's Evaluation Of Coopers & Lybrand's Response
Coopers & Lybra
nd's proposal was perhaps the most detailed we received at the base auditing level. Its approach was very thorough, documenting every point of coverage within individual platforms: Windows NT, NetWare, Unix and Windows95. Details ran the gamut from file system rights checks, to higher level NDS policies, to drilling all the way down to transmission media from a physical standpoint. However, as in many of the other proposals we received, the OS/390 issue was completely ignored. In fact, only Miora and Price Waterhouse specifically addressed, or even mentioned, OS/390.
|
REPORTS
ANALYTICS
Follow 
