Where possible, my fee structure is significantly discounted from rates charged to for-profit companies. They are based on actual charges incurred by the for-profit companies I worked for or from published rates charged by companies servicing the for-profit sector.
Security Awareness Training
My security awareness training presentation is approximately 1 hour long and includes handouts and formal attendance documentation. Normally, training is split between two sessions to allow half of the employees to take one session at a time, resulting in 2 hours total training time. Both sessions should be scheduled back-to-back, although I will consider conducting the two sessions one session per consecutive day. Whether the training includes one or two sessions, the fee for the training is $250.
Risk Assessments are the foundation of both a Disaster Recovery and Business Continuity Plan. They involve working with your managers to identify your assets and the risks that they face. Each risk is then evaluated and ranked, and a mitigation plan is developed for each identified risk. KCC will conduct a complete risk assessment at the rate of either $1500 or $90 per end-user, whichever is greater, to complete a Risk Assessment.
Disaster Recovery Plan
Once a Risk Assessment is complete, the next level of security is to develop a disaster recovery plan. This will be a detailed plan that spells out the recovery processes for all critical systems which were identified in the Risk Assessment. This includes identifying and enumerating all relevant points of contact, contact information, recovery strategy, details on how to complete all recovery tasks. This process includes not only the development of a Disaster Recovery Plan, but also a two-hour table walk-through of the plan to validate the plan before it is finalized. KCC charges $2250 or $150 per end-user, whichever is greater, to complete a Disaster Recovery Plan, if completed on its own. However, if the Disaster Recovery Plan is completed in concert with a KCC Risk Assessment, then the combined cost for the Assessment/DRP package will be $3000 or $210 per end-user, whichever is greater.
Business Continuity Plan
While the Disaster Recovery Plan focuses on the information systems that may fail and need to be recovered, the Business Continuity Plan goes beyond that scope to include a focus on the business processes themselves. This includes reviewing and enumerating alternative methods of conducting all business processes in the event of a disaster. It includes a two-hour walk-through validation of the plan before the plan is finalized. KCC charges $4500 or $300 per end-user, whichever is greater to complete a Business Continuity Plan, if completed on its own. Howeve, if the BCP is completed in concert with both the KCC Risk Assessment and KCC DRP, then the combined cost for completing all three Risk Assessment/DRP/BCP will be $6300 or $450 per end-user, whichever is greater.
Assessment and Plan Maintenance
KCC recommends that client managers review and update the Risk Assessment, Disaster Recovery Plan, and Business Continuity Plan on their own annually for two years. Although it is tempting to simply review and update previous assessments indefinitely, this approach at saving time and money often backfires, as it leads to large gaps in the analysis which overlook the changes in assets and operations that take place over time. KCC therefore recommends conducting a complete, "ground up" Risk Assessment, Disaster Recovery Plan, and Business Continuity Plan. If the company has an assessment or plan completed by KCC, then KCC will review and update the existing plan on a discounted scale. If the original plan is less than 3 years old, KCC will charge 1/3 the original price to review and update it. If the original plan is more than 3 but less than 5 years old, KCC will review/update the plan for 2/3 the original price. Once the original plan is 5 years old, a completely new assessment or plan should be created at the then current rate.