Host compliance audits are known by a lot of different names. Configuration reviews, security reviews, configuration audits, and host checks are just a few names I’ve heard tossed around to describe a review of the level of security of a workstation/server/device. This is done by using a combination of a best practice standard and a background of general security knowledge to identify gaps or weaknesses in system configurations, assign a risk, and recommend a fix. We’ve written in more detail about this activity in the past here, but that’s a 50,000 foot view. But it’s usually helpful to understand the investment when looking at certain activities or services and trying to understand the return on investment for your organization. So how much does a host compliance audit cost?
How do you determine the cost?
For this type of activity, it’s very straightforward. The primary basis for the cost of a host compliance audit is simply the number of systems or devices we’re assessing. For the most part, whether we’re looking at a network device (router, switch, etc.), a workstation, or a server (Windows, RedHat, Ubuntu, AIX, etc.) there’s a pretty similar average of time it will take to thoroughly review the configuration and document our findings. There are some edge cases that will definitely take more time, such as full Group Policy object reviews when auditing a domain controller, but a good estimate is to take our standard per device pricing and multiply it by the number of things you want reviewed.
There are some other considerations you’ll need to make to accurately factor cost, however. One is travel. If any of the devices we’re looking at are not remotely accessible (i.e. by VPN), we’ll have to consider whether to come onsite for the host compliance audit or send a system that we can remotely access to you and perform them remotely. Either way, there is likely some additional cost associated. The other consideration is whether the devices under review are “specialty” devices. Now I realize this is a very ambiguous term, but in general, if a device we need to audit isn’t mainstream there may be some difficulty finding a reliable standard that can effectively be used for the audit. This doesn’t happen very often.
So how much does a host compliance audit cost?
- uncover detailed configuration issues in your hardening processes,
- help build new hardening processes for a class of device,
- verify that your system hardening guides are working and being applied as intended, or
- help provide a higher level of assurance of the security of high risk systems.
The requirements from the client side to perform one of these assessments are very limited and the risks associated with the assessment are almost nil.
Many times, we see host compliance audits pair well with a Best Practice Gap Analysis or preparation for an audit. This is an activity that will likely have an immediate impact on your next internal penetration test, as well, since so many of the findings we see there are related to core configuration issues. Before you think about this type of assessment though, take a look at our top 3 ways to improve your results so you can get a bit of a head start!