Vous êtes sur la page 1sur 3

Friday, October 07, 2005

David Demarais
Integrated Billing
7071 South 13th Street
Suite 104
Oak Creek, WI 53154

Dear David,

The following contains MyCompany's proposal for a network security audit. We, at MyCompany's, feel this
solution will meet the needs of Integrated Billing network and data security requirements.

Overview
This proposal outlines the scope of work necessary to implement the network security audit at Integrated
Billing. The suggested stages will ensure a proper audit, and recommend steps toward securing your
environment.

Performing a security audit is not a trivial affair. For a moderate sized firm in a single location, total
calendar time to complete the audit may be three weeks to a month, dedicating an engineer to the project full
time. Security audits, especially for the first audit, are not inexpensive. Costs depend on a wide variety of
factors. A firm with a couple of hundred people in a single office with the "normal" array of computer
applications found in a typical law firm, might expect to pay $25,000 to $30,000 for a good in-depth security
audit.

If you have never had a security audit, costs may be higher. In addition, the first time audit is likely to
disclose a great number of items which are worthy of further attention (i.e. more time and cost to fix potential
security issues). Of course, over time, you can expect to narrow the scope of follow on audits. So costs might
possibly be reduced.

Scope of Services

Stage 1
Conduct Security Assessment
1. Identification of key personnel to be interviewed for information gathering.
2. Identification of all critical and non-critical security components to be assessed (e.g. firewalls, IDS,
proxy, applications, databases, etc.)
3. Conduct a Business Impact Analysis (BIA) that will be used to determine the appropriate controls
(technical and administrative) to develop the policies.
4. Identification of all threats, vulnerabilities and security issues in each component.

Stage 2
Formulation of Target Security Architecture Designs
1. Conduct logical architecture design of IT security components to organize the physical architecture and
implement security in all identified architectures. The logical structure includes processes, technology
and people. It consists of perimeter security, antivirus policy, security administration, a Disaster
Recovery Plan (DRP), risk and threat analysis, data security, application security, and infrastructure
security.
2. Conduct physical architecture design to include network diagrams illustrating firewalls, mail gateways,
proxies, modem pools, VLANs, Demiliterized Zone (DMZ), internal and external connections and
devices used, and diagrams of other architectures in relation to security architecture.

Stage 3
Construction of Policies and Procedures
Develop policies and procedures to guide employees on acceptable use. When creating these polices,
client will be consulted to achieve a delicate balance between security and the ability to conduct
business.

Stage 4
Implementation of Target Security Architecture Design
Once the conceptual design and all related policies and procedures are developed, implementation of
target security architecture can begin. Projects that implement architectural changes will have a plan that
defines timelines, budgets, and resources needed to implement these changes.

Stage 5
Integration of Security Practices to Maintain Secure Status
1. Change management process: Any changes to networks and other infrastructure components must go
through this process.
2. Project management methodology and guidelines will serve to guide various technology projects in
the organization. Security should be integrated into these guidelines at all stages necessary by these
guidelines.

I would again like to thank you for allowing MyCompany L.L.C. the opportunity to provide for your computer
and networking needs.
This solution has been prepared by your personal engineer, John Croson, and reviewed by the technical services
team. John can be reached at XXX-XXX-XXX x XXX, or by email at, jcroson@MyCompany.com

Please contact John or myself if you have questions or require additional technical information.

Sincerely,

MyCompany L.L.C.
pdolan@MyCompany'snet.com

Acceptance of this proposal and statement of work is acknowledged by your authorized signature below.

___________________________________ __________________ ____________


Accepted By Title Date