Questions

IT Infrastructure Audit General Costs

+
0 Votes
Locked

IT Infrastructure Audit General Costs

lseuch
Looking to get an idea of what it might cost for a firm to come in and do an infrastructure audit: Confirm servers are installed and configured properly for security and efficiency;identifying hardware and software that might impact productivity;efficacy of back-ups and confirmation as to the adequacy as to monitoring and management, etc... We're a small organization (<50 employees). Are we talking $10K? $100K?
  • +
    0 Votes
    gechurch

    I imagine you'll find the answer will vary a lot. Some companies will go into much more detail than others. Some will charge like a wounded bull, some will be reasonable.

    The other thing making it hard is we don't know how much infrastructure you have, how much software you have, how much is web-based, how many systems interact with each other, and what level of detail you want them to go to. Knowing you have 50 employees isn't relevant for an infrastructure. I work for some companies with over 100 employees and a single server. Other companies have 20 employees and multiple servers and LOB applications.

    Where I live, I'd imagine $100-$150 per hour would be the going rate. I'm sure some places around here would try to charge considerably more. I'm not so sure that you'd actually get a better audit for your money. Most of my clients have relatively simple environments, but thinking of my clients of similar size I could do a reasonable audit in 10-15 hours. Reasonable meaning running the best-practice analyzers, checking open ports, checking password complexity requirements, security event logs, auditing firewall logs, and auditing hardware and software on servers. That assumes that you as the client can answer the questions I need to know. For example, if you want me to ensure that only ports that are required are allowed through the firewall, I first need to know what ports are actually needed. If I need to figure that out myself that will take a lot longer.

    To do a thorough job you would need to go into a lot more detail in each step. For example, do you want to know if any of your applications are susceptible to code-injection? Do you want me to make a serious hack attempt against your servers? Should I call staff to see if they are susceptible to social engineering, or offer the cleaning staff $100 to pull out a network cable to the server to see if they'll do it? Do you want a full disaster recovery practice run to ensure the restore procedure is solid, or is just checking that backups aren't corrupt enough? Do you have a virtualization layer or are you straight physical? Do you want serial numbers and warranty dates audited? There are all sorts of in-depth things like this that can be done at each step. And as the amount of software and hardware you have increases, the time to audit it all can increase exponentially.

    Anyway, I know you're only after a ballpark. At $150/hour you'd get around 8 days of someone's time for $10k. That seems like plenty, so I'd say $10k is the right ballpark (it could easily be half that for a relatively simple environment). $100k would be 8 hours a day for over three months... I can't possibly imagine an audit taking that long.

  • +
    0 Votes
    gechurch

    I imagine you'll find the answer will vary a lot. Some companies will go into much more detail than others. Some will charge like a wounded bull, some will be reasonable.

    The other thing making it hard is we don't know how much infrastructure you have, how much software you have, how much is web-based, how many systems interact with each other, and what level of detail you want them to go to. Knowing you have 50 employees isn't relevant for an infrastructure. I work for some companies with over 100 employees and a single server. Other companies have 20 employees and multiple servers and LOB applications.

    Where I live, I'd imagine $100-$150 per hour would be the going rate. I'm sure some places around here would try to charge considerably more. I'm not so sure that you'd actually get a better audit for your money. Most of my clients have relatively simple environments, but thinking of my clients of similar size I could do a reasonable audit in 10-15 hours. Reasonable meaning running the best-practice analyzers, checking open ports, checking password complexity requirements, security event logs, auditing firewall logs, and auditing hardware and software on servers. That assumes that you as the client can answer the questions I need to know. For example, if you want me to ensure that only ports that are required are allowed through the firewall, I first need to know what ports are actually needed. If I need to figure that out myself that will take a lot longer.

    To do a thorough job you would need to go into a lot more detail in each step. For example, do you want to know if any of your applications are susceptible to code-injection? Do you want me to make a serious hack attempt against your servers? Should I call staff to see if they are susceptible to social engineering, or offer the cleaning staff $100 to pull out a network cable to the server to see if they'll do it? Do you want a full disaster recovery practice run to ensure the restore procedure is solid, or is just checking that backups aren't corrupt enough? Do you have a virtualization layer or are you straight physical? Do you want serial numbers and warranty dates audited? There are all sorts of in-depth things like this that can be done at each step. And as the amount of software and hardware you have increases, the time to audit it all can increase exponentially.

    Anyway, I know you're only after a ballpark. At $150/hour you'd get around 8 days of someone's time for $10k. That seems like plenty, so I'd say $10k is the right ballpark (it could easily be half that for a relatively simple environment). $100k would be 8 hours a day for over three months... I can't possibly imagine an audit taking that long.