[unisog] RE: Outside Penetration Testing and FERPA

GREGORY SEIBERT gregs at kent.edu
Tue Dec 7 18:34:31 GMT 2004

I think this brings us full circle to my original point - and my last post
on this topic - (sustained applause in the background noted!)
If I was writing a grant proposal, preparing for a lecture or conducting
research, I would be delighted to enlist the help of Jay or Hal. If I need
to conduct an audit on a network subject to increasingly complex legal,
political, financial and technical demands, I'd be compelled to stick with
one of the previously mentioned companies. Name recognition, deep pockets,
politics, legal requirements begin to figure into the picture - sometimes
even more than the pure technicalities do. It is up to we custodians of
protected information and communication highways to make sure that we
present a warm fuzzy secure feeling to those who rely on us - and to the
feds. Most business types know that propeller heads frequently end up being
kicked out of the companies that they found - or at least being pushed
aside - because they frequently don't have good business sense. Of course,
Mr. Bill being a notable exception. Jay and Hal are good people, but my
auditing committee, my president  and Board of Trustees don't know Jay and
Hal. They do know IBM, NEC, big accounting firms, etc. (and of course Mr.


Gregory A. Seibert, CISM
Director of Security and Compliance
Suite 384 Library
Kent State University
330-672-0383 (Voice)
330-672-9374 (FAX)

                      Valdis.Kletnieks at v                                                                                                
                      t.edu                     To:       UNIversity Security Operations Group <unisog at lists.sans.org>                  
                      Sent by:                  cc:                                                                                     
                      unisog-bounces at lis        Subject:  Re: [unisog] RE: Outside Penetration Testing and FERPA                        
                      12/06/2004 11:26                                                                                                  
                      Please respond to                                                                                                 
                      Operations Group                                                                                                  

> Anderson was reputable at some point in time...) I would certainly agree
> that it would be irresponsible to allow Fly-By-Night, Incorporated to
> around a network no matter how many agreements and contracts were in

OK.. Would you allow Deer Run Associates to audit your network?  Or
how about JJB Security Consulting?

Does your opinion change any if I tell you that Deer Run is Hal Pomeranz's
firm? Or that JJB is Jay Beale's consultancy? (Yes, *that* Hal and *that*

Who's more likely to actually *know* what they're doing, Hal and Jay or
people the Reputable Firm sends over?  (And it isn't just Hal and Jay
either - the
majority of *really* clued security people who are doing consulting are
doing so for their own small firms, not Some Big Name Recognition Place).
(See attached file: attrmz77.dat)
unisog mailing list
unisog at lists.sans.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: attrmz77.dat
Type: application/ms-tnef
Size: 234 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20041207/f4d97cb5/attrmz77-0002.bin

More information about the unisog mailing list