Setting the scope correctly is the number one thing you need to worry about when you're starting the process of choosing a pen test provider. Why does everyone harp on scoping with timing and pricing?? Hi, I'm Josh Tomkiel, I'm a senior manager here at Schellman on the pen test team. I've been in the industry for over 10 years, started off as a penetration tester working on web applications and internal and external networks. And now I'm on the manager side overseeing projects. So you've decided you're going to have a penetration test performed, you're going out talking to vendors, getting estimates. But the first thing that everybody asks you: "what's the scope? What's the scope?" Why is it so important? It's important because the scope dictates:

So you've decided that you're going to have a penetration test performed and you want to know how long it's going to take. Awesome! I'm sure you want that report in your hand right away. This video is going to cover some of the tips you need to know about that could impact the timing of a penetration test.

Jumpstart your IT audit career with Schellman.

Like most organizations today, you've probably noticed an increase in privacy questionnaires in addition to the already existing security questionnaires from your customers. This is likely driven by the General Data Protection Regulation of 2016, otherwise known as the GDPR, and your organization is probably trying to figure out what the next best step is for you to take. In this video, we'll walk through some of our offerings related to GDPR as well as the pricing, scoping, and cost structure involved there.

So you're curious about penetration testing? What is it? Do you really need it? Sure, it's useful for compliance, but is that all?

If you are a vendor or a supplier of Microsoft and have been asked to go through their supplier security and privacy assurance program, you may be wondering how much this assessment costs. In this video, we will break down the price range of the assessment cost and the factors that could influence the price.

We get it: You didn't budget for a compliance assessment. You were trying to sell a deal to a customer who came back to you and said you needed a SOC 2 audit or an ISO certification. But when you're making a choice, what are the implications if you go with one firm versus another in particular if you go with a low-cost provider? I'm Doug Barbin, managing principal and chief growth officer at Schellman. We've been performing assessments for over 20 years of companies of all sizes, from start-up companies to the Fortune 50. You're a start-up company. You're active in the marketplace and you're selling to customers. And you get to that deal where this customer says, this looks great, it looks like a fit for me, but I need to see proof of your security program. I need a SOC 2 report. From there, what do you do? You go out, you research different types of firms. There are certainly firms that are larger at the higher end, such as the big four firms that have the brand names and the prestige and are very, very expensive. There are often smaller firms, too, that can do this at a much lower cost. What are the things that you need to think about, though, when you're going in the direction of a low-cost provider? In particular, we get that this was not budgeted. We get that this was something that you weren't planning to do. And from a certain degree, it's a checkbox that you need to achieve in order to sell to that customer. However, what does it really mean after that? A SOC 2 report is really a statement that your security program and your commitments to your customers are being met. And those commitments have been vetted by an independent third-party assessor like Schellman. And that's what we do.

So you are a defense contractor or maybe you are participating in a large defense contract. As a result, you may have heard that you need to comply with CMMC. Let's talk about what that is.

A hot topic for conversation recently has to be the HITRUST release of their i1 certification. In this video, we're going to talk about what the i1 certification is and does it make sense for you to go for that one certification or to continue to do the r2 certification that we've all known in the past?